diff --git a/playbooks/roles/os_horizon/defaults/main.yml b/playbooks/roles/os_horizon/defaults/main.yml
index df6574e1dd..8f30af0267 100644
--- a/playbooks/roles/os_horizon/defaults/main.yml
+++ b/playbooks/roles/os_horizon/defaults/main.yml
@@ -91,6 +91,9 @@ horizon_keystone_endpoint: "{{ keystone_service_internalurl }}"
 ## alternatively, you can set horizon to turn off ssl verification for Keystone
 horizon_ssl_no_verify: "{{ (keystone_service_adminuri_insecure | bool or keystone_service_internaluri_insecure | bool) | default(false) }}"
 
+## The role which Horizon should use as a default for users
+horizon_default_role_name: _member_
+
 ## Launch instance
 horizon_launch_instance_legacy: True
 horizon_launch_instance_ng: False
diff --git a/playbooks/roles/os_horizon/tasks/horizon_service_setup.yml b/playbooks/roles/os_horizon/tasks/horizon_service_setup.yml
new file mode 100644
index 0000000000..ee08a2cad3
--- /dev/null
+++ b/playbooks/roles/os_horizon/tasks/horizon_service_setup.yml
@@ -0,0 +1,34 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+# Add the default user role
+- name: Ensure default keystone user role
+  keystone:
+    command: "ensure_role"
+    token: "{{ keystone_auth_admin_token }}"
+    endpoint: "{{ keystone_service_adminurl }}"
+    role_name: "{{ horizon_default_role_name }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  when: >
+    keystone_auth_admin_token is defined
+    and keystone_service_adminurl is defined
+    and keystone_service_adminuri_insecure is defined
+  register: add_member_role
+  until: add_member_role|success
+  retries: 5
+  delay: 10
+  tags:
+    - horizon-member-config
diff --git a/playbooks/roles/os_horizon/tasks/main.yml b/playbooks/roles/os_horizon/tasks/main.yml
index 87b0a03bd6..fe8fb2277b 100644
--- a/playbooks/roles/os_horizon/tasks/main.yml
+++ b/playbooks/roles/os_horizon/tasks/main.yml
@@ -28,6 +28,8 @@
 
 - include: horizon_ssl_user_provided.yml
 
+- include: horizon_service_setup.yml
+
 - include: horizon_apache.yml
 
 - name: Flush handlers
diff --git a/playbooks/roles/os_horizon/templates/horizon_local_settings.py.j2 b/playbooks/roles/os_horizon/templates/horizon_local_settings.py.j2
index 7835dcd29e..df6be92508 100644
--- a/playbooks/roles/os_horizon/templates/horizon_local_settings.py.j2
+++ b/playbooks/roles/os_horizon/templates/horizon_local_settings.py.j2
@@ -168,7 +168,8 @@ OPENSTACK_HOST = "{{ horizon_keystone_host }}"
 OPENSTACK_KEYSTONE_URL = "{{ horizon_keystone_endpoint }}"
 {% endif %}
 
-OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
+# The default role assigned to users
+OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{ horizon_default_role_name }}"
 
 {% if keystone_sp is defined %}
 # Enables keystone web single-sign-on
diff --git a/playbooks/roles/os_keystone/defaults/main.yml b/playbooks/roles/os_keystone/defaults/main.yml
index e042354277..fa57eddb51 100644
--- a/playbooks/roles/os_keystone/defaults/main.yml
+++ b/playbooks/roles/os_keystone/defaults/main.yml
@@ -80,6 +80,7 @@ keystone_database_pool_timeout: 30
 
 ## Role info
 keystone_role_name: admin
+keystone_default_role_name: _member_
 
 ## Admin info
 keystone_admin_port: 35357
diff --git a/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml b/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml
index ddddbabe6a..9fb4cf58b3 100644
--- a/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml
+++ b/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml
@@ -128,6 +128,22 @@
     - keystone-api-setup
     - keystone-setup
 
+# Add the default user role
+- name: Ensure default keystone user role
+  keystone:
+    command: "ensure_role"
+    token: "{{ keystone_auth_admin_token }}"
+    endpoint: "{{ keystone_service_adminurl }}"
+    role_name: "{{ keystone_default_role_name }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: add_member_role
+  until: add_member_role|success
+  retries: 5
+  delay: 10
+  tags:
+    - keystone-api-setup
+    - keystone-setup
+
 # Create a service
 - name: Ensure Keystone Service
   keystone:
diff --git a/playbooks/roles/os_keystone/templates/keystone.conf.j2 b/playbooks/roles/os_keystone/templates/keystone.conf.j2
index a60c72af62..d2276353f2 100644
--- a/playbooks/roles/os_keystone/templates/keystone.conf.j2
+++ b/playbooks/roles/os_keystone/templates/keystone.conf.j2
@@ -9,6 +9,7 @@ public_endpoint = {{ keystone_public_endpoint }}
 {% endif %}
 admin_endpoint = {{ keystone_service_adminuri }}
 fatal_deprecations = {{ keystone_fatal_deprecations }}
+member_role_name = {{ keystone_default_role_name }}
 
 {% if keystone_ssl | bool and keystone_secure_proxy_ssl_header is defined %}
 secure_proxy_ssl_header = {{ keystone_secure_proxy_ssl_header }}