diff --git a/server/src/main/java/access/api/UserRoleOperations.java b/server/src/main/java/access/api/UserRoleOperations.java
index eee49392..0a62d449 100644
--- a/server/src/main/java/access/api/UserRoleOperations.java
+++ b/server/src/main/java/access/api/UserRoleOperations.java
@@ -21,7 +21,7 @@ public UserRoleOperations(UserRoleResource roleResource) {
 
     public ResponseEntity<List<UserRole>> userRolesByRole(Long roleId,
                                                           RoleValidator roleValidator) {
-        LOG.debug("/roles/");
+        LOG.debug("/userRolesByRole/");
         Role role = this.roleResource.getRoleRepository().findById(roleId).orElseThrow(() -> new NotFoundException("Role not found"));
         roleValidator.validate(role);
         List<UserRole> userRoles = this.roleResource.getUserRoleRepository().findByRole(role);
diff --git a/server/src/main/java/access/internal/InternalInviteController.java b/server/src/main/java/access/internal/InternalInviteController.java
index 322b9b91..67a7b71d 100644
--- a/server/src/main/java/access/internal/InternalInviteController.java
+++ b/server/src/main/java/access/internal/InternalInviteController.java
@@ -24,10 +24,12 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.transaction.annotation.Transactional;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;
 import java.util.UUID;
 
@@ -82,6 +84,20 @@ public InternalInviteController(RoleRepository roleRepository,
         this.invitationOperations = new InvitationOperations(this);
     }
 
+    @GetMapping("/roles")
+    @PreAuthorize("hasRole('SP_DASHBOARD')")
+    public ResponseEntity<List<Role>> rolesByApplication(@Parameter(hidden = true) @AuthenticationPrincipal RemoteUser remoteUser) {
+        LOG.debug(String.format("/roles for user %s", remoteUser.getName()));
+
+        List<Role> roles = remoteUser.getApplications()
+                .stream()
+                .map(application -> roleRepository.findByApplicationUsagesApplicationManageId(application.getManageId()))
+                .flatMap(Collection::stream)
+                .toList();
+        manage.addManageMetaData(roles);
+        return ResponseEntity.ok(roles);
+    }
+
     @GetMapping("/roles/{id}")
     @PreAuthorize("hasRole('SP_DASHBOARD')")
     public ResponseEntity<Role> role(@PathVariable("id") Long id,
@@ -147,6 +163,7 @@ public ResponseEntity<InvitationResponse> newInvitation(@Validated @RequestBody
 
     @GetMapping("user_roles/{roleId}")
     @PreAuthorize("hasRole('SP_DASHBOARD')")
+    @Transactional
     public ResponseEntity<List<UserRole>> byRole(@PathVariable("roleId") Long roleId,
                                                  @Parameter(hidden = true) @AuthenticationPrincipal RemoteUser remoteUser) {
         return this.userRoleOperations.userRolesByRole(roleId,
diff --git a/server/src/test/java/access/internal/InternalInviteControllerTest.java b/server/src/test/java/access/internal/InternalInviteControllerTest.java
index 300ff36d..89750796 100644
--- a/server/src/test/java/access/internal/InternalInviteControllerTest.java
+++ b/server/src/test/java/access/internal/InternalInviteControllerTest.java
@@ -1,12 +1,8 @@
 package access.internal;
 
 import access.AbstractTest;
-import access.AccessCookieFilter;
 import access.manage.EntityType;
-import access.model.Authority;
-import access.model.InvitationRequest;
-import access.model.Language;
-import access.model.Role;
+import access.model.*;
 import io.restassured.common.mapper.TypeRef;
 import io.restassured.http.ContentType;
 import org.junit.jupiter.api.Test;
@@ -63,6 +59,20 @@ void updateWithAPIUser() {
     }
 
 
+    @Test
+    void roleByApplication() {
+        List<Role> roles = given()
+                .when()
+                .auth().preemptive().basic("sp_dashboard", "secret")
+                .accept(ContentType.JSON)
+                .contentType(ContentType.JSON)
+                .get("/api/internal/invite/roles")
+                .as(new TypeRef<>() {
+                });
+
+        assertEquals(1, roles.size());
+    }
+
     @Test
     void findRole() {
         Role role = roleRepository.findByName("Research").get();
@@ -96,7 +106,7 @@ void deleteRole() {
     }
 
     @Test
-    void newInvitation() throws Exception {
+    void newInvitation() {
         stubForManageProviderById(EntityType.SAML20_SP, "4");
         List<Long> roleIdentifiers = List.of(roleRepository.findByName("Research").get().getId());
 
@@ -126,4 +136,20 @@ void newInvitation() throws Exception {
         assertEquals(1, ((List) results.get("recipientInvitationURLs")).size());
     }
 
+    @Test
+    void userRolesByRole() {
+        Long roleId = roleRepository.findByName("Research").get().getId();
+        List<UserRole> userRoles = given()
+                .when()
+                .auth().preemptive().basic("sp_dashboard", "secret")
+                .accept(ContentType.JSON)
+                .contentType(ContentType.JSON)
+                .pathParam("roleId", roleId)
+                .get("/api/internal/invite/user_roles/{roleId}")
+                .as(new TypeRef<>() {
+                });
+
+        assertEquals(1, userRoles.size());
+    }
+
 }
\ No newline at end of file