I would like external ldap mapping roles not assignable to users, as the mapping should be done by ldap groups. Unfortunately Nexus 3 does not have this restriction.
In Nexus 3, I can assign an externally mapped role to a ldap user, overruling whatever I specified in the LDAP. This can make it very confusing.
Provide a feature to always prevent mapping external LDAP groups into local or externally defined user accounts.