{%- for application_id, application_config in applications.items() %}
  {%- set base_roles = application_config.rbac.roles | default({}) %}
  {%- set roles = base_roles | combine({
        'administrator': {
          'description': 'Has full administrative access: manage themes, plugins, settings, and users'
        }
      }) 
  %}

  {%- for role_name, role_conf in roles.items() %}
dn: cn={{ application_id }}-{{ role_name }},{{ ldap.dn.ou.roles }}
objectClass: top
objectClass: organizationalRole
objectClass: posixGroup
gidNumber: {{ application_config['group_id'] }}
cn: {{ application_id }}-{{ role_name }}
description: {{ role_conf.description }}

    {%- for username, user_config in users.items() %}
      {%- set user_roles = user_config.roles | default([]) %}
      {%- if role_name in user_roles %}
dn: cn={{ application_id }}-{{ role_name }},{{ ldap.dn.ou.roles }}
changetype: modify
add: roleOccupant
roleOccupant: {{ ldap.attributes.user_id }}={{ username }},{{ ldap.dn.ou.users }}

      {%- endif %}
    {%- endfor %}
  {%- endfor %}
{%- endfor %}