Creating "super-roles" from LDAP


in the LDAP tree of my user federation, I have so called roles with member attributes:

dn: uid=21579852,ou=roles,o=foo,o=example,c=com
objectClass: organizationalUnit
cn: myrolename
uid: 21579852
member: uid=u1,ou=users,ou=foo,o=example,c=com
member: uid=u2,ou=users,ou=foo,o=example,c=com
member: uid=u3,ou=users,ou=foo,o=example,c=com

I now may easily map LDAP-cn myrolename to roles or groups in Keycloak. Now I want to do some aggregation based on an object which is called spRightObject, the attribute uid is the same in both objects:

dn: righttypeid=2001673,uid=21579852,ou=roles,o=foo,o=example,c=com
righttypeid: 2001673
objectClass: top
objectClass: spRightObject
uid: 21579852
rightname: system1
rightname: system2
rightname: system3

I now want to somehow achieve, that only groups or maybe roles with the rightname system1 are able to use a certain client. What would be the best approach here?

Thanks for answers in advance