org.sonatype.nexus.security.SecurityApi has an addRole method:
This method does not allow specifying the role source, the implementation uses the default source (Default Authorization realm)
While it can work that you can create a role in the default source, and still have that picked up by LDAP or crowd, this seems to be by accident only, is not intuitive and a compatibility byproduct from Nexus 2.
This implicit byproduct is not a good long term approach.
Users want to map roles explicitly to LDAP and CROWD, not the default realm and providing a way to specify the role source would allow that.