If the LDAP data is all you have, then how can you define a role? It would seem that there must be some sort of combinations of groups that define a role. How is that being determined? If it is based on a specific set of groups, then you could either create a separate linking table that says this role has this group, which would involve adding a fourth table with pointers between roles and groups. That is probably the most flexible arrangement. Another option would be to put 12 fields in the Roles table that point to the Groups that Role has, but that is less flexible.