diff --git a/defaults/main.yml b/defaults/main.yml
index df6574e1..8f30af02 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -91,6 +91,9 @@ horizon_keystone_endpoint: "{{ keystone_service_internalurl }}"
 ## alternatively, you can set horizon to turn off ssl verification for Keystone
 horizon_ssl_no_verify: "{{ (keystone_service_adminuri_insecure | bool or keystone_service_internaluri_insecure | bool) | default(false) }}"
 
+## The role which Horizon should use as a default for users
+horizon_default_role_name: _member_
+
 ## Launch instance
 horizon_launch_instance_legacy: True
 horizon_launch_instance_ng: False
diff --git a/tasks/horizon_service_setup.yml b/tasks/horizon_service_setup.yml
new file mode 100644
index 00000000..ee08a2ca
--- /dev/null
+++ b/tasks/horizon_service_setup.yml
@@ -0,0 +1,34 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+# Add the default user role
+- name: Ensure default keystone user role
+  keystone:
+    command: "ensure_role"
+    token: "{{ keystone_auth_admin_token }}"
+    endpoint: "{{ keystone_service_adminurl }}"
+    role_name: "{{ horizon_default_role_name }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  when: >
+    keystone_auth_admin_token is defined
+    and keystone_service_adminurl is defined
+    and keystone_service_adminuri_insecure is defined
+  register: add_member_role
+  until: add_member_role|success
+  retries: 5
+  delay: 10
+  tags:
+    - horizon-member-config
diff --git a/tasks/main.yml b/tasks/main.yml
index 87b0a03b..fe8fb227 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -28,6 +28,8 @@
 
 - include: horizon_ssl_user_provided.yml
 
+- include: horizon_service_setup.yml
+
 - include: horizon_apache.yml
 
 - name: Flush handlers
diff --git a/templates/horizon_local_settings.py.j2 b/templates/horizon_local_settings.py.j2
index 7835dcd2..df6be925 100644
--- a/templates/horizon_local_settings.py.j2
+++ b/templates/horizon_local_settings.py.j2
@@ -168,7 +168,8 @@ OPENSTACK_HOST = "{{ horizon_keystone_host }}"
 OPENSTACK_KEYSTONE_URL = "{{ horizon_keystone_endpoint }}"
 {% endif %}
 
-OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
+# The default role assigned to users
+OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{ horizon_default_role_name }}"
 
 {% if keystone_sp is defined %}
 # Enables keystone web single-sign-on