diff --git a/docker-env2/seed-sites.sh b/docker-env2/seed-sites.sh
index 6292271..183bc6f 100755
--- a/docker-env2/seed-sites.sh
+++ b/docker-env2/seed-sites.sh
@@ -32,7 +32,29 @@ $CLI $URL $AUTH site create \
     --grpc-node-b-address "http://scadalink-env2-site-x-b:8083" \
 || echo "  (Site-X may already exist)"
 
+echo ""
+echo "Seeding LDAP group mappings (Design + Deployment)..."
+# SecurityConfiguration.HasData declares 4 mappings but the InitialSchema
+# migration only inserts the Admin row, so a fresh ScadaLinkConfig2 starts
+# with multi-role getting Admin only -- no Design and no Deployment access.
+# Insert the missing three idempotently. (Same divergence exists on the
+# primary, but primary's database has the rows from earlier history.)
+docker exec -i scadalink-mssql /opt/mssql-tools18/bin/sqlcmd \
+    -S localhost -U sa -P 'ScadaLink_Dev1#' -C \
+    -d ScadaLinkConfig2 -Q "
+SET IDENTITY_INSERT LdapGroupMappings ON;
+IF NOT EXISTS (SELECT 1 FROM LdapGroupMappings WHERE Id = 2)
+    INSERT INTO LdapGroupMappings (Id, LdapGroupName, Role) VALUES (2, 'SCADA-Designers', 'Design');
+IF NOT EXISTS (SELECT 1 FROM LdapGroupMappings WHERE Id = 3)
+    INSERT INTO LdapGroupMappings (Id, LdapGroupName, Role) VALUES (3, 'SCADA-Deploy-All', 'Deployment');
+IF NOT EXISTS (SELECT 1 FROM LdapGroupMappings WHERE Id = 4)
+    INSERT INTO LdapGroupMappings (Id, LdapGroupName, Role) VALUES (4, 'SCADA-Deploy-SiteA', 'Deployment');
+SET IDENTITY_INSERT LdapGroupMappings OFF;
+"
+
 echo ""
 echo "=== Env2 site seeding complete ==="
 echo ""
 echo "Verify with: $CLI $URL $AUTH site list"
+echo "Multi-role test user now has Admin + Design + Deployment in env2."
+echo "Sign out and back in to refresh session role claims."