diff --git a/cas_attributes.admin.inc b/cas_attributes.admin.inc
index 1ca583f..24bafff 100644
--- a/cas_attributes.admin.inc
+++ b/cas_attributes.admin.inc
@@ -11,7 +11,7 @@
 function cas_attributes_admin_settings() {
   // Get current settings, and add default options.
   $cas_attributes = variable_get('cas_attributes', array());
-  $cas_attributes += array('sync_every_login' => NULL, 'relations' => array('mail' => NULL, 'name' => NULL));
+  $cas_attributes += array('sync_every_login' => NULL, 'relations' => array('mail' => NULL, 'name' => NULL), 'roles' => array('manage' => array(), 'mapping' => ''));
   $relations = $cas_attributes['relations'];
 
   $form['cas_attributes'] = array(
@@ -69,6 +69,33 @@ function cas_attributes_admin_settings() {
     }
   }
 
+  // Role Management
+  $managed_roles = $cas_attributes['roles'];
+  $form['cas_attributes']['roles'] = array(
+    '#type' => 'fieldset',
+    '#title' => 'Role Mapping',
+    '#access' => user_access('administer permissions'),
+  );
+
+  $roles = user_roles(TRUE);
+  unset($roles[DRUPAL_AUTHENTICATED_RID]);
+  asort($roles);
+
+  $form['cas_attributes']['roles']['manage'] = array(
+    '#type' => 'checkboxes',
+    '#title' => t('Roles to manage'),
+    '#description' => t('Which roles should be managed by these attributes.'),
+    '#default_value' => $managed_roles['manage'],
+    '#options' => $roles,
+  );
+
+  $form['cas_attributes']['roles']['mapping'] = array(
+    '#type' => 'textarea',
+    '#title' => t('Attributes'),
+    '#description' => t('Specify the CAS attributes to use for roles, one per line. For example, <strong>department</strong> or <strong>affiliations</strong>. Do not use token syntax, as it will not be processed. .'),
+    '#default_value' => $managed_roles['mapping'],
+  );
+
   if (module_exists('token')) {
     $form['token_tree'] = array(
       '#theme' => 'token_tree',
@@ -121,4 +148,3 @@ function cas_attributes_list() {
 
   return theme('table', array('header' => $header, 'rows' => $rows));
 }
-
diff --git a/cas_attributes.module b/cas_attributes.module
index 3e888e4..48ee82b 100644
--- a/cas_attributes.module
+++ b/cas_attributes.module
@@ -46,7 +46,7 @@ function cas_attributes_menu() {
  */
 function cas_attributes_cas_user_presave(&$edit, $account) {
   $cas_attributes = variable_get('cas_attributes', array());
-  $cas_attributes += array('sync_every_login' => NULL, 'relations' => array('mail' => NULL, 'name' => NULL));
+  $cas_attributes += array('sync_every_login' => NULL, 'relations' => array('mail' => NULL, 'name' => NULL), 'roles' => array('manage' => array(), 'mapping' => ''));
 
   // We synchronize on the first login (always) and on future logins (if chosen).
   if ($account->login && !$cas_attributes['sync_every_login']) {
@@ -70,4 +70,47 @@ function cas_attributes_cas_user_presave(&$edit, $account) {
       }
     }
   }
+
+  // Manage Roles
+
+  // Make sure there are attributes to check.
+  if (!empty($cas_attributes['roles']['mapping'])) {
+    // Get the users attributes.
+    $user_attributes = cas_phpcas_attributes($data['cas']);
+    // Allow other modules to manipulate the attribute values.
+    // Can't use module_invoke_all() because we need to pass byref.
+    $arguments = array(&$user_attributes);
+    foreach(module_implements('cas_attributes_roles_modify') as $module) {
+      $function = $module . '_cas_attributes_roles_modify';
+      call_user_func_array($function, $arguments);
+    }
+
+    // Build all the attirbutes to check.
+    $cas_user_roles = array();
+    $attributes_to_check = explode("\n", $cas_attributes['roles']['mapping']);
+    foreach($attributes_to_check as $attribute) {
+      if (!empty($user_attributes[$attribute])) {
+        if (is_array($user_attributes[$attribute])) {
+          $cas_user_roles = array_merge($user_roles, $user_attributes[$attribute]);
+        }
+        else {
+          $cas_user_roles[] = $user_attributes[$attribute];
+        }
+      }
+    }
+
+    // Loop through all the managed roles and see if the user has access to them
+    // and set accordingly.
+    $roles = user_roles();
+    foreach ($cas_attributes['roles']['manage'] as $rid) {
+      if (!empty($rid)) {
+        if (in_array($roles[$rid], $cas_user_roles)) {
+          $edit['roles'][$rid] = $roles[$rid];
+        }
+        else {
+          unset($edit['roles'][$rid]);
+        }
+      }
+    }
+  }
 }
