Using REST one can create a local realm user referencing a role which does not exist in the system.
On the other hand, creating a user in the UI, one cannot create a user without assigning at least one known role at the time of creation.
When the user record is viewed in the UI, the non-existent roles will not appear in the active role list.
The database will still contain the role mapping to the user:
Be consistent in validation. Error the REST API call if a local realm user is being created with any single invalid role reference. Respond with a contextual error message as to why the call failed. Document this possible failure in the API doc