diff --git a/cms/envs/common.py b/cms/envs/common.py
index 2a5c20cd8a..14bb97e671 100644
--- a/cms/envs/common.py
+++ b/cms/envs/common.py
@@ -1569,3 +1569,6 @@ plugin_settings.add_plugins(__name__, plugin_constants.ProjectType.CMS, plugin_c
 # setting for the FileWrapper class used to iterate over the export file data.
 # See: https://docs.python.org/2/library/wsgiref.html#wsgiref.util.FileWrapper
 COURSE_EXPORT_DOWNLOAD_CHUNK_SIZE = 8192
+
+############### Settings for edx-rbac  ###############
+SYSTEM_WIDE_ROLE_CLASSES = os.environ.get("SYSTEM_WIDE_ROLE_CLASSES", [])
diff --git a/cms/envs/test.py b/cms/envs/test.py
index 849130059c..a4592d6a7b 100644
--- a/cms/envs/test.py
+++ b/cms/envs/test.py
@@ -355,3 +355,6 @@ plugin_settings.add_plugins(__name__, plugin_constants.ProjectType.CMS, plugin_c
 ########################## Derive Any Derived Settings  #######################
 
 derive_settings(__name__)
+
+############### Settings for edx-rbac  ###############
+SYSTEM_WIDE_ROLE_CLASSES = os.environ.get("SYSTEM_WIDE_ROLE_CLASSES", [])
diff --git a/lms/envs/common.py b/lms/envs/common.py
index 66e95a0d53..c10df59faf 100644
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -3136,7 +3136,7 @@ JWT_AUTH = {
     'JWT_LOGIN_CLIENT_ID': 'login-service-client-id',
     'JWT_LOGIN_SERVICE_USERNAME': 'login_service_user',
 
-    'JWT_SUPPORTED_VERSION': '1.1.0',
+    'JWT_SUPPORTED_VERSION': '1.2.0',
 
     'JWT_ALGORITHM': 'HS256',
     'JWT_SECRET_KEY': SECRET_KEY,
@@ -3466,3 +3466,6 @@ USER_STATE_BATCH_SIZE = 5000
 from openedx.core.djangoapps.plugins import plugin_apps, plugin_settings, constants as plugin_constants
 INSTALLED_APPS.extend(plugin_apps.get_apps(plugin_constants.ProjectType.LMS))
 plugin_settings.add_plugins(__name__, plugin_constants.ProjectType.LMS, plugin_constants.SettingsType.COMMON)
+
+############### Settings for edx-rbac  ###############
+SYSTEM_WIDE_ROLE_CLASSES = os.environ.get("SYSTEM_WIDE_ROLE_CLASSES", [])
diff --git a/lms/envs/test.py b/lms/envs/test.py
index b9cd90f45b..7960c91ad3 100644
--- a/lms/envs/test.py
+++ b/lms/envs/test.py
@@ -610,3 +610,6 @@ plugin_settings.add_plugins(__name__, plugin_constants.ProjectType.LMS, plugin_c
 ########################## Derive Any Derived Settings  #######################
 
 derive_settings(__name__)
+
+############### Settings for edx-rbac  ###############
+SYSTEM_WIDE_ROLE_CLASSES = os.environ.get("SYSTEM_WIDE_ROLE_CLASSES", [])
diff --git a/openedx/core/djangoapps/oauth_dispatch/jwt.py b/openedx/core/djangoapps/oauth_dispatch/jwt.py
index f379c7d636..0d171c8c8b 100644
--- a/openedx/core/djangoapps/oauth_dispatch/jwt.py
+++ b/openedx/core/djangoapps/oauth_dispatch/jwt.py
@@ -6,6 +6,8 @@ from django.conf import settings
 from jwkest import jwk
 from jwkest.jws import JWS
 
+from edx_rbac.utils import create_role_auth_claim_for_user
+
 from edx_django_utils.monitoring import set_custom_metric
 from openedx.core.djangoapps.oauth_dispatch.toggles import ENFORCE_JWT_SCOPES
 from student.models import UserProfile, anonymous_id_for_user
@@ -122,6 +124,9 @@ def _create_jwt(
     }
     payload.update(additional_claims or {})
     _update_from_additional_handlers(payload, user, scopes)
+    role_claims = create_role_auth_claim_for_user(user)
+    if role_claims:
+        payload['roles'] = role_claims
     return _encode_and_sign(payload, use_asymmetric_key, secret)
 
 
diff --git a/openedx/core/djangoapps/oauth_dispatch/tests/test_jwt.py b/openedx/core/djangoapps/oauth_dispatch/tests/test_jwt.py
index 13bccd6621..4e7f3d268f 100644
--- a/openedx/core/djangoapps/oauth_dispatch/tests/test_jwt.py
+++ b/openedx/core/djangoapps/oauth_dispatch/tests/test_jwt.py
@@ -2,6 +2,8 @@
 import itertools
 from datetime import timedelta
 
+from mock import patch
+
 import ddt
 from django.test import TestCase
 from django.utils.timezone import now
@@ -82,8 +84,10 @@ class TestCreateJWTs(AccessTokenMixin, TestCase):
             )
             self._assert_jwt_is_valid(jwt_token, should_be_asymmetric_key=scopes_enforced and client_restricted)
 
+    @patch('openedx.core.djangoapps.oauth_dispatch.jwt.create_role_auth_claim_for_user')
     @ddt.data(True, False)
-    def test_create_jwt_for_user(self, user_email_verified):
+    def test_create_jwt_for_user(self, user_email_verified, mock_create_roles):
+        mock_create_roles.return_value = ['superuser', 'enterprise-admin']
         self.user.is_active = user_email_verified
         self.user.save()
 
@@ -96,3 +100,4 @@ class TestCreateJWTs(AccessTokenMixin, TestCase):
         )
         self.assertDictContainsSubset(additional_claims, token_payload)
         self.assertEqual(user_email_verified, token_payload['email_verified'])
+        self.assertEqual(token_payload['roles'], mock_create_roles.return_value)