diff --git a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java
index 6f85dd81eb..6745a155aa 100644
--- a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java
+++ b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java
@@ -65,7 +65,7 @@ public class AvailableRoleMappingResource extends RoleMappingResource {
             throw new NotFoundException("Could not find client scope");
         } else {
             this.auth.clients().requireView(scopeModel);
-            return this.mapping(((Predicate<RoleModel>) scopeModel::hasDirectScope).negate(), first, max, search);
+            return this.mapping(((Predicate<RoleModel>) scopeModel::hasDirectScope).negate(), auth.roles()::canMapClientScope, first, max, search);
         }
     }
 
diff --git a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/EffectiveRoleMappingResource.java b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/EffectiveRoleMappingResource.java
index 2c4528e2fd..a159293fa8 100644
--- a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/EffectiveRoleMappingResource.java
+++ b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/EffectiveRoleMappingResource.java
@@ -60,7 +60,7 @@ public class EffectiveRoleMappingResource extends RoleMappingResource {
         }
 
         this.auth.clients().requireView(clientScope);
-        return this.mapping(clientScope::hasScope).collect(Collectors.toList());
+        return this.mapping(clientScope::hasScope, auth.roles()::canMapClientScope).collect(Collectors.toList());
     }
 
     @GET
diff --git a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/RoleMappingResource.java b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/RoleMappingResource.java
index 939c105ab9..d157a6c7cb 100644
--- a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/RoleMappingResource.java
+++ b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/RoleMappingResource.java
@@ -21,13 +21,23 @@ public abstract class RoleMappingResource {
         this.auth = auth;
     }
 
-    public final Stream<ClientRole> mapping(Predicate<RoleModel> predicate) {
+    protected final Stream<ClientRole> mapping(Predicate<RoleModel> predicate) {
         return realm.getClientsStream().flatMap(RoleContainerModel::getRolesStream).filter(predicate)
-                .filter(auth.roles()::canMapClientScope).map(roleModel -> convertToModel(roleModel, realm.getClientsStream()));
+                .filter(auth.roles()::canMapRole).map(roleModel -> convertToModel(roleModel, realm.getClientsStream()));
     }
 
-    public final List<ClientRole> mapping(Predicate<RoleModel> predicate, long first, long max, final String search) {
+    protected final Stream<ClientRole> mapping(Predicate<RoleModel> predicate, Predicate<RoleModel> authPredicate) {
+        return realm.getClientsStream().flatMap(RoleContainerModel::getRolesStream).filter(predicate)
+                .filter(authPredicate).map(roleModel -> convertToModel(roleModel, realm.getClientsStream()));
+    }
+
+    protected final List<ClientRole> mapping(Predicate<RoleModel> predicate, long first, long max, final String search) {
         return mapping(predicate).filter(clientRole -> clientRole.getClient().contains(search) || clientRole.getRole().contains(search))
                 .skip(first).limit(max).collect(Collectors.toList());
     }
+
+    protected final List<ClientRole> mapping(Predicate<RoleModel> predicate, Predicate<RoleModel> authPredicate, long first, long max, final String search) {
+        return mapping(predicate, authPredicate).filter(clientRole -> clientRole.getClient().contains(search) || clientRole.getRole().contains(search))
+                .skip(first).limit(max).collect(Collectors.toList());
+    }
 }