diff --git a/tf-stage2/keycloak.tf b/tf-stage2/keycloak.tf
index 3742bffe9b613eaff07cc54cb5ffaa76fc086038..216813955b8ba310d9b39fe5e2c9ce918abaf54f 100644
--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -156,7 +156,7 @@ resource "keycloak_saml_user_property_protocol_mapper" "gitlab_saml_username" {
   saml_attribute_name_format = "Basic"
 }
 
-resource "keycloak_group" "archlinux_staff" {
+resource "keycloak_group" "staff" {
   realm_id = "archlinux"
   name = "Arch Linux Staff"
 }
@@ -170,17 +170,23 @@ resource "keycloak_group" "arch_groups" {
   for_each = var.arch_groups
 
   realm_id = "archlinux"
-  parent_id = keycloak_group.archlinux_staff.id
+  parent_id = keycloak_group.staff.id
   name = each.value
 }
 
 resource "keycloak_role" "devops" {
   realm_id = "archlinux"
   name = "DevOps"
-  description = "DevOps role"
+  description = "Role held by members of the DevOps group"
 }
 
-resource "keycloak_group_roles" "group_roles" {
+resource "keycloak_role" "staff" {
+  realm_id = "archlinux"
+  name = "Staff"
+  description = "Role held by all Arch Linux staff"
+}
+
+resource "keycloak_group_roles" "devops" {
   realm_id = "archlinux"
   group_id = keycloak_group.arch_groups["DevOps"].id
   role_ids = [
@@ -188,6 +194,14 @@ resource "keycloak_group_roles" "group_roles" {
   ]
 }
 
+resource "keycloak_group_roles" "staff" {
+  realm_id = "archlinux"
+  group_id = keycloak_group.staff.id
+  role_ids = [
+    keycloak_role.staff.id
+  ]
+}
+
 output "gitlab_saml_configuration" {
   value = {
     issuer = keycloak_saml_client.saml_gitlab.client_id