diff --git a/tests/test_invite.py b/tests/test_invite.py
index 8d4b777362b9da9dc0376ed99a63cc00699aed1a..b7384d4dc1af8a7902a254e66304918b722c4ceb 100644
--- a/tests/test_invite.py
+++ b/tests/test_invite.py
@@ -131,7 +131,7 @@ class TestInviteGrantModel(UffdTestCase):
 		ldap.session.commit()
 		db_flush()
 		user = User.query.get('uid=testuser,ou=users,dc=example,dc=com')
-		self.assertIn('baserole', [role.name for role in user.roles_recursive])
+		self.assertIn('baserole', [role.name for role in user.roles_effective])
 		self.assertIn('testrole1', [role.name for role in user.roles])
 		self.assertIn('testrole2', [role.name for role in user.roles])
 		self.assertIn('cn=uffd_access,ou=groups,dc=example,dc=com', [group.dn for group in user.groups])
@@ -203,7 +203,7 @@ class TestInviteSignupModel(UffdTestCase):
 		self.assertEqual(user.displayname, 'New User')
 		self.assertEqual(user.mail, 'test@example.com')
 		self.assertEqual(signup.user.dn, user.dn)
-		self.assertIn(base_role, user.roles_recursive)
+		self.assertIn(base_role, user.roles_effective)
 		self.assertIn(role1, user.roles)
 		self.assertIn(role2, user.roles)
 		self.assertIn(base_group1, user.groups)
@@ -232,8 +232,8 @@ class TestInviteSignupModel(UffdTestCase):
 		self.assertEqual(user.displayname, 'New User')
 		self.assertEqual(user.mail, 'test@example.com')
 		self.assertEqual(signup.user.dn, user.dn)
-		self.assertIn(base_role, user.roles_recursive)
-		self.assertEqual(len(user.roles_recursive), 1)
+		self.assertIn(base_role, user.roles_effective)
+		self.assertEqual(len(user.roles_effective), 1)
 		self.assertIn(base_group1, user.groups)
 		self.assertIn(base_group2, user.groups)
 		self.assertEqual(len(user.groups), 2)
diff --git a/tests/test_role.py b/tests/test_role.py
index 4cadd82d532642b8665a418fb15890da4a57a160..42be5827ec362d929ccb9c4daffbaa2182c279a3 100644
--- a/tests/test_role.py
+++ b/tests/test_role.py
@@ -14,7 +14,7 @@ from uffd import create_app, db
 from utils import dump, UffdTestCase
 
 class TestUserRoleAttributes(UffdTestCase):
-	def test_roles_recursive(self):
+	def test_roles_effective(self):
 		user1 = User.query.get('uid=testuser,ou=users,dc=example,dc=com')
 		user1.update_groups()
 		included_role = Role(name='included')
@@ -22,9 +22,9 @@ class TestUserRoleAttributes(UffdTestCase):
 		role1 = Role(name='role1', members=[user1], included_roles=[included_role])
 		role2 = Role(name='role2', included_roles=[included_role])
 		db.session.add_all([included_role, default_role, role1, role2])
-		self.assertSetEqual(user1.roles_recursive, {included_role, default_role, role1})
+		self.assertSetEqual(user1.roles_effective, {included_role, default_role, role1})
 		included_role.included_roles.append(role2)
-		self.assertSetEqual(user1.roles_recursive, {included_role, default_role, role1, role2})
+		self.assertSetEqual(user1.roles_effective, {included_role, default_role, role1, role2})
 
 	def test_update_groups(self):
 		user1 = User.query.get('uid=testuser,ou=users,dc=example,dc=com')
@@ -42,15 +42,15 @@ class TestUserRoleAttributes(UffdTestCase):
 		self.assertSetEqual(set(user1.groups), {group1, group2})
 
 class TestRoleModel(UffdTestCase):
-	def test_indirect_members(self):
+	def test_members_effective(self):
 		user1 = User.query.get('uid=testuser,ou=users,dc=example,dc=com')
 		user2 = User.query.get('uid=testadmin,ou=users,dc=example,dc=com')
 		included_role = Role(name='included', members=[user1])
 		default_role = Role(name='default', is_default=True)
 		role1 = Role(name='role1', included_roles=[included_role], members=[user2])
-		self.assertSetEqual(included_role.indirect_members, {user2})
-		self.assertSetEqual(default_role.indirect_members, {user1, user2})
-		self.assertSetEqual(role1.indirect_members, set())
+		self.assertSetEqual(included_role.members_effective, {user1, user2})
+		self.assertSetEqual(default_role.members_effective, {user1, user2})
+		self.assertSetEqual(role1.members_effective, {user2})
 
 	def test_included_roles_recursive(self):
 		baserole = Role(name='base')
@@ -63,13 +63,13 @@ class TestRoleModel(UffdTestCase):
 		baserole.included_roles.append(role1)
 		self.assertSetEqual(role3.included_roles_recursive, {baserole, role1, role2})
 
-	def test_included_groups(self):
+	def test_groups_effective(self):
 		group1 = Group.query.get('cn=users,ou=groups,dc=example,dc=com')
 		group2 = Group.query.get('cn=uffd_access,ou=groups,dc=example,dc=com')
 		baserole = Role(name='base', groups=[group1])
 		role1 = Role(name='role1', groups=[group2], included_roles=[baserole])
-		self.assertSetEqual(baserole.included_groups, set())
-		self.assertSetEqual(role1.included_groups, {group1})
+		self.assertSetEqual(baserole.groups_effective, {group1})
+		self.assertSetEqual(role1.groups_effective, {group1, group2})
 
 	def test_update_member_groups(self):
 		user1 = User.query.get('uid=testuser,ou=users,dc=example,dc=com')
@@ -196,14 +196,14 @@ class TestRoleViews(UffdTestCase):
 		user1 = User.query.get('uid=testuser,ou=users,dc=example,dc=com')
 		user2 = User.query.get('uid=testadmin,ou=users,dc=example,dc=com')
 		service_user = User.query.get('uid=service,ou=users,dc=example,dc=com')
-		self.assertSetEqual(set(user1.roles_recursive), set())
-		self.assertSetEqual(set(user2.roles_recursive), set())
-		self.assertSetEqual(set(service_user.roles_recursive), set())
+		self.assertSetEqual(set(user1.roles_effective), set())
+		self.assertSetEqual(set(user2.roles_effective), set())
+		self.assertSetEqual(set(service_user.roles_effective), set())
 		role.members.add(user1)
 		role.members.add(service_user)
-		self.assertSetEqual(set(user1.roles_recursive), {role})
-		self.assertSetEqual(set(user2.roles_recursive), set())
-		self.assertSetEqual(set(service_user.roles_recursive), {role})
+		self.assertSetEqual(set(user1.roles_effective), {role})
+		self.assertSetEqual(set(user2.roles_effective), set())
+		self.assertSetEqual(set(service_user.roles_effective), {role})
 		db.session.commit()
 		role_id = role.id
 		self.assertSetEqual(set(role.members), {user1, service_user})
@@ -213,8 +213,8 @@ class TestRoleViews(UffdTestCase):
 		role = Role.query.get(role_id)
 		service_user = User.query.get('uid=service,ou=users,dc=example,dc=com')
 		self.assertSetEqual(set(role.members), {service_user})
-		self.assertSetEqual(set(user1.roles_recursive), {role})
-		self.assertSetEqual(set(user2.roles_recursive), {role})
+		self.assertSetEqual(set(user1.roles_effective), {role})
+		self.assertSetEqual(set(user2.roles_effective), {role})
 		ldap.session.delete(service_user)
 		ldap.session.commit()
 
@@ -229,9 +229,9 @@ class TestRoleViews(UffdTestCase):
 		user2 = User.query.get('uid=testadmin,ou=users,dc=example,dc=com')
 		service_user = User.query.get('uid=service,ou=users,dc=example,dc=com')
 		role.members.add(service_user)
-		self.assertSetEqual(set(user1.roles_recursive), {role})
-		self.assertSetEqual(set(user2.roles_recursive), {role})
-		self.assertSetEqual(set(service_user.roles_recursive), {role})
+		self.assertSetEqual(set(user1.roles_effective), {role})
+		self.assertSetEqual(set(user2.roles_effective), {role})
+		self.assertSetEqual(set(service_user.roles_effective), {role})
 		db.session.commit()
 		role_id = role.id
 		self.assertSetEqual(set(role.members), {service_user})
@@ -241,8 +241,8 @@ class TestRoleViews(UffdTestCase):
 		role = Role.query.get(role_id)
 		service_user = User.query.get('uid=service,ou=users,dc=example,dc=com')
 		self.assertSetEqual(set(role.members), {service_user})
-		self.assertSetEqual(set(user1.roles_recursive), set())
-		self.assertSetEqual(set(user2.roles_recursive), set())
+		self.assertSetEqual(set(user1.roles_effective), set())
+		self.assertSetEqual(set(user2.roles_effective), set())
 		ldap.session.delete(service_user)
 		ldap.session.commit()
 
diff --git a/tests/test_user.py b/tests/test_user.py
index e2e03de35b495e9cec6c024919090107efd363c9..0caa4d752d3821e90e5b696ba67a4ae2fd75c2a2 100644
--- a/tests/test_user.py
+++ b/tests/test_user.py
@@ -84,7 +84,7 @@ class TestUserViews(UffdTestCase):
 		dump('user_new_submit', r)
 		self.assertEqual(r.status_code, 200)
 		user = User.query.get('uid=newuser,ou=users,dc=example,dc=com')
-		roles = sorted([r.name for r in user.roles_recursive])
+		roles = sorted([r.name for r in user.roles_effective])
 		self.assertIsNotNone(user)
 		self.assertFalse(user.is_service_user)
 		self.assertEqual(user.loginname, 'newuser')
@@ -177,7 +177,7 @@ class TestUserViews(UffdTestCase):
 		dump('user_update_submit', r)
 		self.assertEqual(r.status_code, 200)
 		_user = get_user()
-		roles = sorted([r.name for r in _user.roles_recursive])
+		roles = sorted([r.name for r in _user.roles_effective])
 		self.assertEqual(_user.displayname, 'New User')
 		self.assertEqual(_user.mail, 'newuser@example.com')
 		self.assertEqual(_user.uid, user.uid)
diff --git a/uffd/role/models.py b/uffd/role/models.py
index f8bce7566aec0661af94239fa059d8045ac4eb95..97e3f2c1200267ea1803977cf114e28b5c7d944d 100644
--- a/uffd/role/models.py
+++ b/uffd/role/models.py
@@ -50,18 +50,18 @@ def flatten_recursive(objs, attr):
 				new_objs.add(obj)
 	return objs
 
-def get_roles_recursive(user):
+def get_roles_effective(user):
 	base = set(user.roles)
 	if not user.is_service_user:
 		base.update(Role.query.filter_by(is_default=True))
 	return flatten_recursive(base, 'included_roles')
 
-User.roles_recursive = property(get_roles_recursive)
+User.roles_effective = property(get_roles_effective)
 
 def update_user_groups(user):
 	current_groups = set(user.groups)
 	groups = set()
-	for role in user.roles_recursive:
+	for role in user.roles_effective:
 		groups.update(role.groups)
 	if groups == current_groups:
 		return set(), set()
@@ -102,8 +102,8 @@ class Role(db.Model):
 	is_default = Column(Boolean(), default=False, nullable=False)
 
 	@property
-	def indirect_members(self):
-		users = set()
+	def members_effective(self):
+		users = set(self.members)
 		for role in flatten_recursive(self.including_roles, 'including_roles'):
 			users.update(role.members)
 		if self.is_default:
@@ -117,12 +117,12 @@ class Role(db.Model):
 		return flatten_recursive(self.included_roles, 'included_roles')
 
 	@property
-	def included_groups(self):
-		groups = set()
+	def groups_effective(self):
+		groups = set(self.groups)
 		for role in self.included_roles_recursive:
 			groups.update(role.groups)
 		return groups
 
 	def update_member_groups(self):
-		for user in set(self.members).union(self.indirect_members):
+		for user in self.members_effective:
 			user.update_groups()
diff --git a/uffd/role/templates/role/show.html b/uffd/role/templates/role/show.html
index db2c38109ed97dbbd2e615d9e067cda611b628cc..d1b381307a202ef790b3d5302eb15223ee4fdf5b 100644
--- a/uffd/role/templates/role/show.html
+++ b/uffd/role/templates/role/show.html
@@ -107,7 +107,7 @@ Name, moderator group, included roles and groups of this role are managed extern
 								{{ r.description }}
 							</td>
 							<td>
-								{% for group in r.included_groups.union(r.groups)|sort(attribute='name') %}
+								{% for group in r.groups_effective|sort(attribute='name') %}
 									<a href="{{ url_for("group.show", gid=group.gid) }}">{{ group.name }}</a>{{ ', ' if not loop.last }}
 								{% endfor %}
 							</td>
diff --git a/uffd/role/views.py b/uffd/role/views.py
index 3036a86d3990939c172a9d89ab912ae9b165a3c0..267c4e7bc0ea79db63b603485a0df3a34ef2f192 100644
--- a/uffd/role/views.py
+++ b/uffd/role/views.py
@@ -100,10 +100,10 @@ def delete(roleid):
 	if role.locked:
 		flash('Locked roles cannot be deleted')
 		return redirect(url_for('role.show', roleid=role.id))
-	oldmembers = set(role.members).union(role.indirect_members)
+	old_members = set(role.members_effective)
 	role.members.clear()
 	db.session.delete(role)
-	for user in oldmembers:
+	for user in old_members:
 		user.update_groups()
 	db.session.commit()
 	ldap.session.commit()
@@ -138,7 +138,7 @@ def unset_default(roleid):
 	role = Role.query.filter_by(id=roleid).one()
 	if not role.is_default:
 		return redirect(url_for('role.show', roleid=role.id))
-	old_members = set(role.members).union(role.indirect_members)
+	old_members = set(role.members_effective)
 	role.is_default = False
 	for user in old_members:
 		if not user.is_service_user: