We are trying to create a rule that basically says "When Users gets app-role ABC also give them Group ABC".
The issue we are running into is that the rule criteria doesn't have an In app-role option. It only has In account, In Group, or In Role.
I made one app-role as a child to another app-role but this only works when the app-role is explicitly requested.
The following only works on explicit requests.