An use case where we have Corp LDAP set up for Authentication, where you have also set up groups using which an External Role Mapper will map the Roles for the user in Apigee's internal OpenLDAP.

Now when does this External Role Mapper gets into play? Does it get triggered every time the user logs in (and maps the latest groups to Roles into Internal LDAP)? Or does it get triggered only at the time of new user creation?

Also, can we create custom role through the mapper code dynamically? For instance, in an Org when Dev of ProxyA sign-up then through ExternalRoleMapper can we clone an existing role and create a new one like ProxyARole, so that this Dev will have access only to his ProxyA?