Think: Is this a person, or is it a job that will continue after that person leaves? The latter: e.g. role = press officer.
First go to e-groups.cern.ch. Check if the group you want already exists before you create a new one. If it does, get the name. If it doesn’t, create new static group. e.g. press-office-editors
Back on your site, go to People>permissions>roles> add role Add the new name for the role, and THINK about which permissions that role needs.
Configuration > Shibboleth settings > Shibboleth group rules > add new rule Shibboleth attribute name: ADFS_GROUP ^some-e-group-at-cern$ Add the role. ALWAYS click "Sticky"
To make a role for all trusted CERN users (those with AIS logins) the role has to be mapped to ^ais-users$ in the Shibboleth settings