About a month ago, I developed an Ansible role to manage OPSS application policies. By original design, my role uses two lists: application role names and principals and then assigned each role to each principal. Something similar to: - name: Grant application roles include_roles: role: opss-grant vars: app_name: