diff --git a/inventories/vagrant/host_vars/backend/opencloud.yml b/inventories/vagrant/host_vars/backend/opencloud.yml
index 6dd6dc7..f8fcc79 100644
--- a/inventories/vagrant/host_vars/backend/opencloud.yml
+++ b/inventories/vagrant/host_vars/backend/opencloud.yml
@@ -36,6 +36,16 @@ opencloud_ldap_group_base_dn: "ou=groups,dc=local,dc=test"
 # Draw.io integration
 opencloud_drawio_url: "https://drawio.local.test"
 
+# Role assignment via OIDC (maps LDAP groups from Keycloak token to OpenCloud roles)
+opencloud_role_assignment_driver: "oidc"
+opencloud_role_mapping:
+  - role_name: admin
+    claim_value: admins
+  - role_name: user
+    claim_value: users
+  - role_name: user
+    claim_value: developers
+
 # CSP configuration
 opencloud_csp_extra_connect_src:
   - "https://keycloak.local.test/"