diff --git a/invenio_oauthclient/handlers/utils.py b/invenio_oauthclient/handlers/utils.py
index 73453ab..70507d5 100644
--- a/invenio_oauthclient/handlers/utils.py
+++ b/invenio_oauthclient/handlers/utils.py
@@ -14,6 +14,7 @@
 from flask_login import current_user
 from invenio_accounts.models import Role
 from invenio_accounts.proxies import current_datastore
+from invenio_db import db
 from werkzeug.utils import import_string
 
 from ..models import RemoteAccount
@@ -113,38 +114,42 @@ def create_or_update_roles(groups):
     roles_ids = set()
     for group in groups:
         try:
-            current_app.logger.debug(f"Syncing role: {group['name']}")
-            existing_role = current_datastore.find_role_by_id(group["id"])
-            if existing_role and existing_role.is_managed:
-                current_app.logger.exception(
-                    f'Error while syncing roles: A managed role with id: ${group["id"]} already exists'
-                )
-                continue
-            existing_role_by_name = current_datastore.find_role(group["name"])
-            if existing_role_by_name and existing_role_by_name.is_managed:
-                current_app.logger.exception(
-                    f'Error while syncing roles: A managed role with name: ${group["name"]} already exists'
-                )
-                continue
-            if not existing_role:
-                role = current_datastore.create_role(
-                    id=group["id"],
-                    name=group["name"],
-                    description=group.get("description"),
-                    is_managed=False,
-                )
-                roles_ids.add(role.id)
-            elif existing_role and _role_needs_update(existing_role, group):
-                role_to_update = Role(
-                    id=group["id"],
-                    name=group["name"],
-                    description=group.get("description"),
-                    is_managed=False,
-                )
-                role = current_datastore.update_role(role_to_update)
-                roles_ids.add(role.id)
-            else:
-                roles_ids.add(existing_role.id)
+            with db.session.begin_nested():
+                current_app.logger.debug(f"Syncing role: {group['name']}")
+
+                existing_role = current_datastore.find_role_by_id(group["id"])
+                if existing_role and existing_role.is_managed:
+                    current_app.logger.exception(
+                        f'Error while syncing roles: A managed role with id: {group["id"]} already exists'
+                    )
+                    continue
+
+                existing_role_by_name = current_datastore.find_role(group["name"])
+                if existing_role_by_name and existing_role_by_name.is_managed:
+                    current_app.logger.exception(
+                        f'Error while syncing roles: A managed role with name: {group["name"]} already exists'
+                    )
+                    continue
+
+                if not existing_role:
+                    role = current_datastore.create_role(
+                        id=group["id"],
+                        name=group["name"],
+                        description=group.get("description"),
+                        is_managed=False,
+                    )
+                    roles_ids.add(role.id)
+                elif existing_role and _role_needs_update(existing_role, group):
+                    role_to_update = Role(
+                        id=group["id"],
+                        name=group["name"],
+                        description=group.get("description"),
+                        is_managed=False,
+                    )
+                    role = current_datastore.update_role(role_to_update)
+                    roles_ids.add(role.id)
+                else:
+                    roles_ids.add(existing_role.id)
 
         except Exception as e:
             current_app.logger.error(