External roles associated with a Series are not visible in the UI
The Admin UI only shows roles that it knows about. However, a series can be created (through REST calls) with an ACL which includes external roles that aren't known to the Admin UI and are not in the internal db (mh_role).
These roles are not visible in the UI when examining the ACL.
As a first pass, I've implemented a system where the external roles appear in the UI, and are treated as normal roles, but only the roles that are in the ACL already. The UI elements will not have any external roles aside from those in the ACL. For example, an ACL with ROLE_EXTERNAL granted read permissions will have the role in all of the appropriate places, but the dropdowns would not show ROLE_OTHER_EXTERNAL if it were available from the role provider(s). Dynamically fetching the list of roles isn't actually implemented in the UI, although it's faked - the list of roles is static once fetched, so the filtering when typing the role name is entirely client side. Future enhancements would make this a REST call which would do more advanced queries That querying will be added as part of MH-11717.
Our production Sakai system has just under 55,000 sites at the moment, so that would be a minimum of 110,000 roles (site:learner and site:instructor), which would not be a performant solution either in executing the REST call to get the list of roles or in populating an HTML list.
Plus the admin UI should not be imposing that sort of architectural restriction on the system.
The UI needs a different type of input strategy. As I suggest in a related JIRA, it would be feasible for the provider code to have a roleExists() method that could choose to validate a given role String in some way (based on a regexp or actual lookup), but a provider should not have to return a single list of every possible valid role, and the UI should not expect to obtain that information.
Ok, so I think the underlying issue here is actually the Sakai glue code. The admin UI queries a list of all roles, and then gets the series itself. The series query should have all of the roles assigned to it as far as I can tell, but to display that role it needs to be in the list of roles that gets queried first. This is why the UI screenshot has two role rows, rather than one - it's rendering the html option element, but can't select the correct one since the option element's options are populated from the list.
The list of roles is fetched from all the role providers, but the sakai glue doesn't register as a RoleProvider, and hence gets skipped. I'm not familiar enough with Sakai to know how the our concept of roles would mesh with their system, but I'm guessing we just need to implement the correct REST calls.
Screenshots show a series created with role ids in the ACL which are known to an external system but not in the Opencast mh_role table. It's also not desireable to have all external roles exist within Opencast's db, because that would add many thousands of extra roles and create unnecessary synchronization issues.