diff --git a/tf-stage-1/service_gitea.tf b/tf-stage-1/service_gitea.tf
index ea69fa6..891972f 100644
--- a/tf-stage-1/service_gitea.tf
+++ b/tf-stage-1/service_gitea.tf
@@ -28,10 +28,11 @@ resource "keycloak_openid_user_client_role_protocol_mapper" "gitea-role-mapper"
   realm_id  = module.giteaclient.realm.id
   client_id = module.giteaclient.client.id
   # client_id_for_role_mappings = module.giteaclient.client.id
-  multivalued         = true
-  name                = "user-client-role-mapper"
-  claim_name          = "roles"
-  add_to_userinfo     = true
-  add_to_access_token = true
-  add_to_id_token     = false
+  multivalued                 = true
+  name                        = "user-client-role-mapper"
+  claim_name                  = "roles"
+  add_to_userinfo             = true
+  add_to_access_token         = true
+  add_to_id_token             = false
+  client_id_for_role_mappings = module.giteaclient.client.id
 }
diff --git a/tf-stage-1/service_grafana.tf b/tf-stage-1/service_grafana.tf
index b5da716..3c0f9bd 100644
--- a/tf-stage-1/service_grafana.tf
+++ b/tf-stage-1/service_grafana.tf
@@ -40,14 +40,15 @@ resource "keycloak_openid_user_property_protocol_mapper" "grafana-username-mappe
 }
 
 resource "keycloak_openid_user_client_role_protocol_mapper" "grafana-role-mapper" {
-  realm_id            = module.grafanaclient.realm.id
-  client_id           = module.grafanaclient.client.id
-  multivalued         = true
-  name                = "user-client-role-mapper"
-  claim_name          = "resource_access.$${client_id}.roles"
-  add_to_userinfo     = true
-  add_to_access_token = true
-  add_to_id_token     = false
+  realm_id                    = module.grafanaclient.realm.id
+  client_id                   = module.grafanaclient.client.id
+  multivalued                 = true
+  name                        = "user-client-role-mapper"
+  claim_name                  = "resource_access.$${client_id}.roles"
+  add_to_userinfo             = true
+  add_to_access_token         = true
+  add_to_id_token             = false
+  client_id_for_role_mappings = module.grafanaclient.client.id
 }
 
 resource "keycloak_role" "grafana-admin" {
diff --git a/tf-stage-1/service_hedgedoc.tf b/tf-stage-1/service_hedgedoc.tf
index 0c6061e..af0a671 100644
--- a/tf-stage-1/service_hedgedoc.tf
+++ b/tf-stage-1/service_hedgedoc.tf
@@ -48,4 +48,5 @@ resource "keycloak_openid_user_session_note_protocol_mapper" "hedgedoc-ip-mapper
   session_note        = "clientAddress"
   add_to_access_token = true
   add_to_id_token     = true
+
 }