diff --git a/src/geoserver/layman_role_service/config.xml b/src/geoserver/layman_role_service/config.xml
new file mode 100644
index 000000000..fb228d0b7
--- /dev/null
+++ b/src/geoserver/layman_role_service/config.xml
@@ -0,0 +1,15 @@
+<jdbcroleservice>
+  <id>-6e75d003:18c584ed8f6:-7fee</id>
+  <name>layman_role_service</name>
+  <className>org.geoserver.security.jdbc.JDBCRoleService</className>
+  <propertyFileNameDDL>rolesddl.xml</propertyFileNameDDL>
+  <propertyFileNameDML>rolesdml.xml</propertyFileNameDML>
+  <jndi>false</jndi>
+  <driverClassName>org.postgresql.Driver</driverClassName>
+  <connectURL>xxx</connectURL>
+  <userName>xxx</userName>
+  <password>xxx</password>
+  <creatingTables>false</creatingTables>
+  <adminRoleName>ADMIN</adminRoleName>
+  <groupAdminRoleName>GROUP_ADMIN</groupAdminRoleName>
+</jdbcroleservice>
diff --git a/src/geoserver/layman_role_service/rolesddl.xml b/src/geoserver/layman_role_service/rolesddl.xml
new file mode 100644
index 000000000..fcef49401
--- /dev/null
+++ b/src/geoserver/layman_role_service/rolesddl.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
+<properties>
+  <comment>DDL statements for role database</comment>
+  <entry key="check.table">role_props</entry>
+  <entry key="roles.create">
+        create table _role_service.roles(name varchar(64) not null,parent varchar(64),  primary key(name))
+  </entry>
+  <entry key="roleprops.create">
+        create table _role_service.role_props(rolename varchar(64) not null,propname varchar(64) not null, propvalue varchar(2048),primary key (rolename,propname))
+  </entry>
+
+  <entry key="userroles.create">
+        create table _role_service.user_roles(username varchar(128) not null, rolename varchar(64) not null,  primary key(username,rolename))
+  </entry>
+  <entry key="userroles.indexcreate">
+        create index _role_service.user_roles_idx on user_roles(rolename,username)
+  </entry>
+  <entry key="grouproles.create">
+        create table _role_service.group_roles(groupname varchar(128) not null, rolename varchar(64) not null,  primary key(groupname,rolename))
+  </entry>
+  <entry key="grouproles.indexcreate">
+        create index group_roles_idx on _role_service.group_roles(rolename,groupname)
+  </entry>
+
+
+
+  <entry key="roles.drop">drop table _role_service.roles</entry>
+  <entry key="roleprops.drop">drop table _role_service.role_props</entry>
+  <entry key="userroles.drop">drop table _role_service.user_roles</entry>
+  <entry key="grouproles.drop">drop table _role_service. group_roles</entry>
+
+</properties>
diff --git a/src/geoserver/layman_role_service/rolesdml.xml b/src/geoserver/layman_role_service/rolesdml.xml
new file mode 100644
index 000000000..518d46413
--- /dev/null
+++ b/src/geoserver/layman_role_service/rolesdml.xml
@@ -0,0 +1,106 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
+<properties>
+  <comment>DML statements for role database</comment>
+
+  <entry key="roles.count">
+        select count(*)  from _role_service.roles
+  </entry>
+  <entry key="roles.all">
+        select name,parent from _role_service.roles
+  </entry>
+  <entry key="roles.keyed">
+        select parent from _role_service.roles where name = ?
+  </entry>
+  <entry key="roles.insert">
+        insert into _role_service.roles (name) values (?)
+  </entry>
+  <!-- nothing to update at the moment, use dummy statement -->
+  <entry key="roles.update">
+        update _role_service.roles set name=name where name = ?
+  </entry>
+  <entry key="roles.parentUpdate">
+        update _role_service.roles set parent = ? where name = ?
+  </entry>
+    <entry key="roles.deleteParent">
+        update _role_service.roles set parent = null where parent = ?
+  </entry>
+  <entry key="roles.delete">
+        delete from _role_service.roles where name = ?
+  </entry>
+  <entry key="roles.deleteAll">
+        delete from _role_service.roles
+  </entry>
+
+
+  <entry key="roleprops.all">
+        select rolename,propname,propvalue from  _role_service.role_props
+  </entry>
+  <entry key="roleprops.selectForRole">
+        select propname,propvalue from  _role_service.role_props where rolename = ?
+  </entry>
+  <entry key="roleprops.selectForUser">
+        select p.rolename,p.propname,p.propvalue from  _role_service.role_props p,_role_service.user_roles u where u.rolename = p.rolename and u.username = ?
+  </entry>
+  <entry key="roleprops.selectForGroup">
+        select p.rolename,p.propname,p.propvalue from  _role_service.role_props p,_role_service.group_roles g where g.rolename = p.rolename and g.groupname = ?
+  </entry>
+  <entry key="roleprops.deleteForRole">
+        delete from _role_service.role_props where rolename=?
+  </entry>
+  <entry key="roleprops.insert">
+        insert into _role_service.role_props(rolename,propname,propvalue) values (?,?,?)
+  </entry>
+  <entry key="roleprops.deleteAll">
+        delete from _role_service.role_props
+  </entry>
+
+
+  <entry key="userroles.rolesForUser">
+        select u.rolename,r.parent from _role_service.user_roles u ,_role_service.roles r where r.name=u.rolename and u.username = ?
+  </entry>
+  <entry key="userroles.usersForRole">
+        select username from _role_service.user_roles where rolename = ?
+  </entry>
+  <entry key="userroles.insert">
+        insert into _role_service.user_roles(rolename,username) values (?,?)
+  </entry>
+  <entry key="userroles.delete">
+        delete from _role_service.user_roles where rolename=? and username = ?
+  </entry>
+  <entry key="userroles.deleteRole">
+        delete from _role_service.user_roles where rolename=?
+  </entry>
+  <entry key="userroles.deleteUser">
+        delete from _role_service.user_roles where username = ?
+  </entry>
+  <entry key="userroles.deleteAll">
+        delete from _role_service.user_roles
+  </entry>
+
+
+
+  <entry key="grouproles.rolesForGroup">
+        select g.rolename,r.parent from _role_service.group_roles g,r_role_service.oles r  where g.rolename = r.name and g.groupname = ?
+  </entry>
+  <entry key="grouproles.groupsForRole">
+        select groupname from _role_service.group_roles where rolename = ?
+  </entry>
+  <entry key="grouproles.insert">
+        insert into _role_service.group_roles(rolename,groupname) values (?,?)
+  </entry>
+  <entry key="grouproles.delete">
+        delete from _role_service.group_roles where rolename=? and groupname = ?
+  </entry>
+  <entry key="grouproles.deleteRole">
+        delete from _role_service.group_roles where rolename=?
+  </entry>
+  <entry key="grouproles.deleteGroup">
+        delete from _role_service.group_roles where groupname = ?
+  </entry>
+    <entry key="grouproles.deleteAll">
+        delete from _role_service.group_roles
+  </entry>
+
+
+</properties>
diff --git a/src/geoserver/role_service.py b/src/geoserver/role_service.py
new file mode 100644
index 000000000..d8e21c73d
--- /dev/null
+++ b/src/geoserver/role_service.py
@@ -0,0 +1,46 @@
+from distutils.dir_util import copy_tree
+import os
+import shutil
+from urllib.parse import urlparse
+from lxml import etree as ET
+
+
+from requests_util import url_util
+from . import authn
+
+
+ROLE_SERVICE_NAME = 'layman_role_service'
+ROLE_SERVICE_PATH = 'security/role/'
+DIRECTORY = os.path.dirname(os.path.abspath(__file__))
+
+
+def setup_role_service(data_dir, service_url, ):
+    role_service_path = os.path.join(data_dir, ROLE_SERVICE_PATH)
+    layman_role_service_path = os.path.join(role_service_path, ROLE_SERVICE_NAME)
+    if os.path.exists(layman_role_service_path):
+        shutil.rmtree(layman_role_service_path)
+    source_path = os.path.join(DIRECTORY, ROLE_SERVICE_NAME)
+    os.mkdir(layman_role_service_path)
+    copy_tree(source_path, layman_role_service_path)
+
+    role_service_config_path = os.path.join(layman_role_service_path, 'config.xml')
+    role_service_xml = ET.parse(role_service_config_path)
+
+    parsed_url = urlparse(service_url)
+
+    element = role_service_xml.find('userName')
+    element.text = parsed_url.username
+
+    element = role_service_xml.find('password')
+    element.text = parsed_url.password
+
+    element = role_service_xml.find('connectURL')
+    element.text = f'jdbc:{url_util.redact_uri(service_url, remove_username=True)}'
+
+    role_service_xml.write(role_service_config_path)
+
+    security_xml = authn.get_security(data_dir)
+    element = security_xml.find('roleServiceName')
+    element.text = ROLE_SERVICE_NAME
+    security_path = os.path.join(data_dir, 'security/config.xml')
+    security_xml.write(security_path)
diff --git a/src/layman/authz/role_service.py b/src/layman/authz/role_service.py
index 218f43769..fcff94a0e 100644
--- a/src/layman/authz/role_service.py
+++ b/src/layman/authz/role_service.py
@@ -20,6 +20,10 @@ def ensure_admin_roles():
     as
     select %s as username, %s as rolename
     UNION ALL
+    select 'root', 'ADMIN'
+    UNION ALL
+    select 'admin', 'ADMIN'
+    UNION ALL
     select %s, 'ADMIN'
     ;"""
     db_util.run_statement(create_admin_user_roles_view, (settings.LAYMAN_GS_USER, settings.LAYMAN_GS_ROLE, settings.LAYMAN_GS_USER))
diff --git a/src/setup_geoserver.py b/src/setup_geoserver.py
index 5010e3a37..4c8c2bde3 100644
--- a/src/setup_geoserver.py
+++ b/src/setup_geoserver.py
@@ -2,8 +2,7 @@
 import sys
 
 import geoserver
-from geoserver import epsg_properties
-from geoserver import authn
+from geoserver import epsg_properties, authn, role_service
 import layman_settings as settings
 
 
@@ -26,6 +25,9 @@ def main():
                       )
     epsg_properties.setup_epsg(settings.GEOSERVER_DATADIR,
                                set(settings.LAYMAN_OUTPUT_SRS_LIST))
+    role_service.setup_role_service(settings.GEOSERVER_DATADIR,
+                                    settings.LAYMAN_ROLE_SERVICE_URI,
+                                    )
 
 
 if __name__ == "__main__":