diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java
index d0dc7e72..6e480967 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java
@@ -222,7 +222,7 @@ public class OidcAuthController {
                 for (String roleName : oidcExtractedRoles) {
                     UUID roleId = SystemRole.BY_NAME.get(SystemRole.normalizeScope(roleName));
                     if (roleId != null) {
-                        rbacService.assignRoleToUser(userId, roleId);
+                        rbacService.assignManagedRole(userId, roleId, null);
                         log.info("OIDC role {} assigned to {} (from token claim)", roleName, userId);
                     }
                 }
@@ -232,7 +232,7 @@ public class OidcAuthController {
                     for (String roleName : defaultRoles) {
                         UUID roleId = SystemRole.BY_NAME.get(SystemRole.normalizeScope(roleName));
                         if (roleId != null) {
-                            rbacService.assignRoleToUser(userId, roleId);
+                            rbacService.assignManagedRole(userId, roleId, null);
                             log.debug("Default role {} assigned to {} (no claim mapping or OIDC roles)", roleName, userId);
                         }
                     }