Instead of assigning Roles based on the user properties, add the ability to search for the roles to be assigned to a particular user.
It could be exactly the same as the role search except it would be used to assign roles to a user.
This would properly assign roles that are configured with nested groups in AD.