diff --git a/roles/web-app-openwebui/templates/env.j2 b/roles/web-app-openwebui/templates/env.j2
index 23d333b2..d1ee056e 100644
--- a/roles/web-app-openwebui/templates/env.j2
+++ b/roles/web-app-openwebui/templates/env.j2
@@ -35,10 +35,10 @@ OAUTH_SCOPES=openid email profile
 # Optional: Role Management
 # =========================
 # Enable automatic role mapping from token claims
-# ENABLE_OAUTH_ROLE_MANAGEMENT=true
-# OAUTH_ROLES_CLAIM=roles
+ENABLE_OAUTH_ROLE_MANAGEMENT=true
+OAUTH_ROLES_CLAIM={{ RBAC.GROUP.CLAIM }}
 # OAUTH_ALLOWED_ROLES=user
-# OAUTH_ADMIN_ROLES=admin
+OAUTH_ADMIN_ROLES={{ [ RBAC.GROUP.NAME, application_id ~ '-administrator' ] | path_join }}
 
 # =========================
 # Optional: Group Management