> Why does teiid/DV require duplicity in setting up "Data roles" instead of using groups/roles defined within LDAP/AD?
The primary issue is that you want DV to have a notion of data roles that is independent of the security mechanism so that it has a self-contained way of utilizing roles in the the vdb. If you switch from ldap to another system or just change a group name, the vdb remains consistent. All you have to do is change the data role mapping to the new group/role names.
Or do you mean something else?