diff --git a/template/stacks/monitoring/kube-prometheus/values.yaml b/template/stacks/monitoring/kube-prometheus/values.yaml
index 7a0a4f1..1e42733 100644
--- a/template/stacks/monitoring/kube-prometheus/values.yaml
+++ b/template/stacks/monitoring/kube-prometheus/values.yaml
@@ -51,7 +51,7 @@ grafana:
       token_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/token
       api_url: https://{{{ .Env.DOMAIN }}}/keycloak/realms/cnoe/protocol/openid-connect/userinfo
       redirect_uri: http://{{{ .Env.DOMAIN }}}/grafana/login/generic_oauth
-      role_attribute_path: "contains(resource_access.\"grafana\".roles[*], 'admin') && 'Admin' || contains(resource_access.\"grafana\".roles[*], 'editor') && 'Editor' || 'Viewer'"
+      role_attribute_path: "contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'"
       
   extraSecretMounts:
     - name: auth-generic-oauth-secret-mount
diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index 604d714..1b5681f 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -189,20 +189,13 @@ data:
       "rootUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
       "adminUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
       "baseUrl": "https://{{{ .Env.DOMAIN }}}/grafana",
-      "surrogateAuthRequired": false,
-      "enabled": true,
       "alwaysDisplayInConsole": false,
-      "clientAuthenticatorType": "client-secret",
-      "secret": "aQ1UV9Z6ZuLBwrgw8vV9ijf6LA95yMZL",
       "redirectUris": [
         "http://{{{ .Env.DOMAIN }}}/grafana/*"
       ],
       "webOrigins": [
         "https://{{{ .Env.DOMAIN }}}/grafana"
       ],
-      "notBefore": 0,
-      "bearerOnly": false,
-      "consentRequired": false,
       "standardFlowEnabled": true,
       "implicitFlowEnabled": false,
       "directAccessGrantsEnabled": true,
@@ -211,50 +204,19 @@ data:
       "frontchannelLogout": true,
       "protocol": "openid-connect",
       "attributes": {
+        "saml_idp_initiated_sso_url_name": "",
         "oidc.ciba.grant.enabled": "false",
-        "backchannel.logout.session.required": "true",
-        "display.on.consent.screen": "false",
-        "oauth2.device.authorization.grant.enabled": "false",
-        "backchannel.logout.revoke.offline.tokens": "false"
+        "oauth2.device.authorization.grant.enabled": "false"
       },
-      "authenticationFlowBindingOverrides": {},
-      "fullScopeAllowed": true,
-      "nodeReRegistrationTimeout": -1,
-      "protocolMappers": [
-        {
-          "name": "client roles",
-          "protocol": "openid-connect",
-          "protocolMapper": "oidc-usermodel-client-role-mapper",
-          "consentRequired": false,
-          "config": {
-            "multivalued": "true",
-            "userinfo.token.claim": "false",
-            "user.attribute": "foo",
-            "id.token.claim": "true",
-            "access.token.claim": "true",
-            "claim.name": "resource_access.${client_id}.roles",
-            "jsonType.label": "String"
-          }
-        }
-      ],
       "defaultClientScopes": [
         "web-origins",
         "acr",
-        "roles",
         "offline_access",
+        "roles",
         "profile",
+        "groups",
         "email"
-      ],
-      "optionalClientScopes": [
-        "address",
-        "phone",
-        "microprofile-jwt"
-      ],
-      "access": {
-        "view": true,
-        "configure": true,
-        "manage": true
-      }
+      ]
     }
 
 ---