For Active Directory user sources, there's a place to define what roles exist using an LDAP query:
... and there's a place to define which user gets what role:
But I can't find a reason, beyond the convenience of having a list of roles to use in scripting, that this property needs to be populated at all. Because (afaik)...
A user's roles are retrieved from the user object with no reference to that user source's roles.
Any user can have any role assigned (based on their LDAP user object attributes) regardless of what that user source's list of roles is. I don't know what use it's supposed to have.
It's been bugging me, not understanding this, so I figured I'd just ask to see if I'm missing something here.
- Is this just a vestigial setting that was previously used but no longer is?
- Is there just not as much of a need for it with this kind of user source in particular, so it was added to keep the functionality between user sources consistent?
- Am I simply overthinking this??
I'd appreciate any thoughts on the topic! I hear AD user sources are getting a glow up in v8.3 in any case.
Unrelatedly...
I miss the time when I didn't know what this meant... 
(&(objectClass=user)(!(objectClass=computer))(memberOf:1.2.840.113556.1.4.1941:=CN=MyGroup,OU=MyOU,OU=MyDept,DC=ACME,DC=NET))