This closes #2865
diff --git a/docs/user-manual/en/configuration-index.md b/docs/user-manual/en/configuration-index.md
index 0deb104..9239123 100644
--- a/docs/user-manual/en/configuration-index.md
+++ b/docs/user-manual/en/configuration-index.md
@@ -374,6 +374,9 @@
[permission](security.md) |
[permission.type](security.md) | the type of permission
[permission.roles](security.md) | a comma-separated list of roles to apply the permission to
+[role-mapping](security.md) | A simple role mapping that can be used to map roles from external authentication providers (i.e. LDAP) to internal roles
+[role-mapping.from](security.md) | The external role which should be mapped
+[role-mapping.to](security.md) | The internal role which should be assigned to the authenticated user
## broker-plugin type
diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md
index 6a45271..063fc28 100644
--- a/docs/user-manual/en/security.md
+++ b/docs/user-manual/en/security.md
@@ -1022,6 +1022,20 @@
client), using TLS can provide Kerberos authentication over an *unsecure*
channel.
+## Mapping external roles
+Roles from external authentication providers (i.e. LDAP) can be mapped to internally used roles. The is done through role-mapping entries in the security-settings block:
+
+```xml
+<security-settings>
+ [...]
+ <role-mapping from="cn=admins,ou=Group,ou=ActiveMQ,ou=system" to="my-admin-role"/>
+ <role-mapping from="cn=users,ou=Group,ou=ActiveMQ,ou=system" to="my-user-role"/>
+</security-settings>
+```
+
+Note: Role mapping is additive. That means the user will keep the original role(s) as well as the newly assigned role(s).
+
+Note: This role mapping only affects the roles which are used to authorize queue access through the configured acceptors. It can not be used to map the role required to access the web console.
## SASL
[AMQP](using-AMQP.md) supports SASL. The following mechanisms are supported; PLAIN, EXTERNAL, ANONYMOUS, GSSAPI.
