diff --git a/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakAdminService.java b/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakAdminService.java
index 1d26154b9..5e89c8a07 100644
--- a/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakAdminService.java
+++ b/backend/src/main/java/org/cryptomator/hub/keycloak/KeycloakAdminService.java
@@ -21,6 +21,7 @@
 import org.keycloak.admin.client.resource.UserResource;
 import org.keycloak.representations.idm.CredentialRepresentation;
 import org.keycloak.representations.idm.GroupRepresentation;
+import org.keycloak.representations.idm.RoleRepresentation;
 import org.keycloak.representations.idm.UserRepresentation;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -204,6 +205,10 @@ public User syncUser(String userId) {
 		dbUser.setEmail(keycloakUser.getEmail());
 		dbUser.setFirstName(keycloakUser.getFirstName());
 		dbUser.setLastName(keycloakUser.getLastName());
+		var kcRoleNames = userResource.roles().realmLevel().listAll().stream()
+				.map(RoleRepresentation::getName)
+				.toList();
+		dbUser.setRealmRoles(RealmRole.fromKcNames(kcRoleNames).stream().map(RealmRole::kcName).toArray(String[]::new));
 
 		var attrs = keycloakUser.getAttributes();
 		if (attrs != null && attrs.containsKey("picture")) {
@@ -297,6 +302,12 @@ public void updateUserRoles(String userId, Set<RealmRole> roles) {
 		if (!rolesToSet.isEmpty()) {
 			roleMappings.add(rolesToSet.stream().map(realmRoles::getRealmRole).toList());
 		}
+
+		// 3. sync direct roles from kc back to db:
+		var kcRoleNames = roleMappings.listAll().stream()
+				.map(RoleRepresentation::getName)
+				.toList();
+		dbUser.setRealmRoles(RealmRole.fromKcNames(kcRoleNames).stream().map(RealmRole::kcName).toArray(String[]::new));
 	}
 
 	// Group management methods