diff --git a/infra/values/base/grafana-values.yaml b/infra/values/base/grafana-values.yaml
index a54164c..81e2dbf 100644
--- a/infra/values/base/grafana-values.yaml
+++ b/infra/values/base/grafana-values.yaml
@@ -35,7 +35,9 @@ grafana.ini:
     auth_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/auth
     token_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/token
     api_url: https://id.forteapps.net/realms/forte/protocol/openid-connect/userinfo
-    role_attribute_path: ""
+    role_attribute_path: "contains(resource_access.grafana.roles[*], 'Admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'Editor') && 'Editor' || 'Viewer'"
+    role_attribute_strict: true
+    allow_assign_grafana_admin: true
     auto_login: true
   auth:
     disable_login_form: true
diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml
index d8f98e7..6fad310 100644
--- a/infra/values/base/keycloak-values.yaml
+++ b/infra/values/base/keycloak-values.yaml
@@ -115,7 +115,23 @@ keycloakConfigCli:
               "k8s.secret.name": "grafana-oidc-credentials",
               "k8s.secret.client-id-key": "client-id",
               "k8s.secret.client-secret-key": "client-secret"
-            }
+            },
+            "protocolMappers": [
+              {
+                "name": "client-roles",
+                "protocol": "openid-connect",
+                "protocolMapper": "oidc-usermodel-client-role-mapper",
+                "config": {
+                  "claim.name": "resource_access.grafana.roles",
+                  "jsonType.label": "String",
+                  "multivalued": "true",
+                  "usermodel.clientRoleMapping.clientId": "grafana",
+                  "id.token.claim": "true",
+                  "access.token.claim": "true",
+                  "userinfo.token.claim": "true"
+                }
+              }
+            ]
           }
         ]
       }