From an architectural point of view, you have multiple solutions. Here is a solution that stores all your data in a directory.
In your Directory, you can program your "Roles" with class objects with the value "group", for example groupOfNames or group (depending on your directory). Users of Distinguisched Names (DNs) will be encoded in the multi-valued attribute of these objects (usually member ). The DN "Role" object can, in turn, be encoded in the multi-valued attribute of the user object (Ex: memberof )
If your directory supports referential integrity, it can act as a system directory. Then the member and memberof can be controlled by the Directory itself. This means that if you move a user from an organizational unit to another, the directory will update the member attribute of the Role objects to which the user belongs.
In another case (without referential integrity), your application must control the integrity of the attribute.
This is short, but I hope this helps.
Edited
Thirst for everyone, I recommend you Apache Directory Studio , that is (for me) one of the best LDAP browsers. This tool will allow you to see your directory and learn LDAP more often. Using this tool, I will show you how ADAM (Active Directory Application Mode) is a free Microsoft code Roles directory
In the first snapshot, you can see AdminAdam as a member of the administrators group:
In this second figure, you can see the presence of a group in the adminAdam user attribute element.
ADAM supports referential integrity.