diff --git a/infra/base/authentik/bootstrap-prod.yaml b/infra/base/authentik/bootstrap-prod.yaml
index 6fae2ba..ec376f4 100644
--- a/infra/base/authentik/bootstrap-prod.yaml
+++ b/infra/base/authentik/bootstrap-prod.yaml
@@ -250,14 +250,14 @@ entries:
 
         # Admin role mapping
         if "authentik Admins" in user_groups or "Administrators" in user_groups:
-            return "Admin"
+            return {"role": "Admin"}
 
         # Editor role mapping
         if "Tax Reviewers" in user_groups or "Accountants" in user_groups:
-            return "Editor"
+            return {"role": "Editor"}
 
         # Default to Viewer role
-        return "Viewer"
+        return {"role": "Viewer"}
 
   # Custom Scope Mapping for MinIO
   - id: scope_minio_policy
diff --git a/infra/base/monitoring.yaml b/infra/base/monitoring.yaml
index 9384966..2a87f84 100644
--- a/infra/base/monitoring.yaml
+++ b/infra/base/monitoring.yaml
@@ -60,6 +60,8 @@ services:
       GF_USERS_ALLOW_SIGN_UP: false
       GF_USERS_AUTO_ASSIGN_ORG: true
       GF_USERS_AUTO_ASSIGN_ORG_ROLE: Viewer
+      GF_LOG_MODE: console
+      GF_LOG_LEVEL: info
       GF_AUTH_GENERIC_OAUTH_ENABLED: true
       GF_AUTH_GENERIC_OAUTH_NAME: Authentik
       GF_AUTH_GENERIC_OAUTH_CLIENT_ID: ${GRAFANA_OAUTH_CLIENT_ID}
@@ -70,9 +72,10 @@ services:
       GF_AUTH_GENERIC_OAUTH_API_URL: http://apa-authentik-server:9000/application/o/userinfo/
       GF_AUTH_GENERIC_OAUTH_AUTO_LOGIN: false
       GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: true
-      GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: role
-      GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_STRICT: false
+      GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: contains(groups, 'Administrators') && 'Admin' || contains(groups, 'authentik Admins') && 'Admin' || contains(groups, 'Tax Reviewers') && 'Editor' || contains(groups, 'Accountants') && 'Editor' || 'Viewer'
+      GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_STRICT: true
       GF_AUTH_GENERIC_OAUTH_GROUPS_ATTRIBUTE_PATH: groups
+      GF_AUTH_SIGNOUT_REDIRECT_URL: https://auth.${DOMAIN}/application/o/grafana-prod/end-session/
       GF_AUTH_OAUTH_AUTO_LOGIN: false
       GF_AUTH_DISABLE_LOGIN_FORM: false
       GF_SERVER_ROOT_URL: https://grafana.${DOMAIN}
@@ -81,7 +84,6 @@ services:
       GF_SECURITY_COOKIE_SAMESITE: lax
       GF_AUTH_GENERIC_OAUTH_USE_PKCE: true
       GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE: true
-      GF_AUTH_SIGNOUT_REDIRECT_URL: https://auth.${DOMAIN}/application/o/grafana/end-session/
     extra_hosts:
       - "auth.local.lan:host-gateway"
       - "grafana.local.lan:host-gateway"