Externally provisioned roles should not be persisted
When you have:
1. a UserDirectoryProvider used as the same time as the default internal user/role provider, and
2. you have a user created in Opencast that also exists in the external provider, and
3. the external provider allocates additional roles to the user,
then Opencast persists those external roles in the internal database (mh_user_role and mh_role), which is undesireable as the external roles should be exclusively under the control of the external provider.
1) Add user that exists in Sakai, creates user but does not save other roles
I think this is the previous behaviour, but I want to be sure: By default new users in Opencast don't get any roles (not even ROLE_USER, oddly), so they would not get any Sakai roles. The Sakai roles aren't an option (see MH-11717, I'm working on it) in the role select, but the Opencast roles are. If I add those roles things seem to work fine for me post minor changeset that I'm about to push.
2) Cannot add additional internal roles to the user
See above, I can add roles both during creation and as a post-creation modification, although update has always worked for me.
Does the changeset resolve your testing issues?