diff --git a/cas_attributes.admin.inc b/cas_attributes.admin.inc
index 1ca583f..ae3376f 100644
--- a/cas_attributes.admin.inc
+++ b/cas_attributes.admin.inc
@@ -11,7 +11,7 @@
 function cas_attributes_admin_settings() {
   // Get current settings, and add default options.
   $cas_attributes = variable_get('cas_attributes', array());
-  $cas_attributes += array('sync_every_login' => NULL, 'relations' => array('mail' => NULL, 'name' => NULL));
+  $cas_attributes += array('sync_every_login' => NULL, 'relations' => array('mail' => NULL, 'name' => NULL), 'roles' => array('manage' => array(), 'mapping' => ''));
   $relations = $cas_attributes['relations'];
 
   $form['cas_attributes'] = array(
@@ -69,6 +69,33 @@ function cas_attributes_admin_settings() {
     }
   }
 
+  // Role Management
+  $managed_roles = $cas_attributes['roles'];
+  $form['cas_attributes']['roles'] = array(
+    '#type' => 'fieldset',
+    '#title' => 'Role Mapping',
+    '#access' => user_access('administer permissions'),
+  );
+
+  $roles = user_roles(TRUE);
+  unset($roles[DRUPAL_AUTHENTICATED_RID]);
+  asort($roles);
+
+  $form['cas_attributes']['roles']['manage'] = array(
+    '#type' => 'checkboxes',
+    '#title' => t('Roles to manage'),
+    '#description' => t('Which roles should be managed by these attributes.'),
+    '#default_value' => $managed_roles['manage'],
+    '#options' => $roles,
+  );
+
+  $form['cas_attributes']['roles']['mapping'] = array(
+    '#type' => 'textarea',
+    '#title' => t('Attributes'),
+    '#description' => t('Specify the token(s) to use to search for roles. Please put one per line.'),
+    '#default_value' => $managed_roles['mapping'],
+  );
+
   if (module_exists('token')) {
     $form['token_tree'] = array(
       '#theme' => 'token_tree',
@@ -121,4 +148,3 @@ function cas_attributes_list() {
 
   return theme('table', array('header' => $header, 'rows' => $rows));
 }
-
diff --git a/cas_attributes.module b/cas_attributes.module
index 3e888e4..433a1f3 100644
--- a/cas_attributes.module
+++ b/cas_attributes.module
@@ -46,7 +46,7 @@ function cas_attributes_menu() {
  */
 function cas_attributes_cas_user_presave(&$edit, $account) {
   $cas_attributes = variable_get('cas_attributes', array());
-  $cas_attributes += array('sync_every_login' => NULL, 'relations' => array('mail' => NULL, 'name' => NULL));
+  $cas_attributes += array('sync_every_login' => NULL, 'relations' => array('mail' => NULL, 'name' => NULL), 'roles' => array('manage' => array(), 'mapping' => ''));
 
   // We synchronize on the first login (always) and on future logins (if chosen).
   if ($account->login && !$cas_attributes['sync_every_login']) {
@@ -70,4 +70,35 @@ function cas_attributes_cas_user_presave(&$edit, $account) {
       }
     }
   }
+
+  // Manage Roles
+
+  // Turn our role mapping into a nice token array.
+  $role_mapping_tokens = token_scan($cas_attributes['roles']['mapping']);
+  if (!empty($role_mapping_tokens['cas'])) {
+    // Get our attributes
+    $attributes = token_find_with_prefix($role_mapping_tokens['cas'], 'attribute');
+    $cas_user_roles = array();
+    foreach($attributes as $name => $original) {
+      // If there is no token option then assume all of them.
+      if (strpos($name, ':') === FALSE) {
+        $cas_user_roles += explode('~&', token_replace('[cas:attribute:' . $name . ':join:~&]', $data));
+      }
+      else {
+        $cas_user_roles[] = token_replace($original, $data);
+      }
+    }
+
+    // Loop through all the managed roles and see if the user has access to them
+    // and set accordingly.
+    $roles = user_roles();
+    foreach ($cas_attributes['roles']['manage'] as $rid) {
+      if (in_array($roles[$rid], $cas_user_roles)) {
+        $edit['roles'][$rid] = $roles[$rid];
+      }
+      else {
+        unset($edit['roles'][$rid]);
+      }
+    }
+  }
 }
