The LDAP Group mapper has option "Drop non existing LDAP groups". When this is ON, then during sync of Keycloak groups from LDAP, the groups are also removed in Keycloak.

The LDAP role mapper does not have this option yet. For now, when using the mapper type as `role-ldap mapper` in RHSSO or RHBK, and that a corresponding LDAP role has been removed, then the RHSSO/RHBK Administrator has to remove the corresponding Keycloak role manually.
This RFE request is about adding a `Drop non existing LDAP roles` option to LDAP role mapper, so that the roles, which are removed from the LDAP server, will also be removed from Keycloak as well after a sync.

Roles created outside of the given LDAP provider should not be removed. For example:

• ldap-1 syncs role-1 into KC, which is marked as managed by ldap-1
• role-2 is created in KC admin console
• role-1 is deleted from ldap-1
• during next sync only roles marked as managed by ldap-1 that are missing in ldap-1 are deleted, and not role-2 (or other internal roles)