The security settings of the Mendix out of the box components do make sense that's why they are not meant to be changed.
A work-around could be to create your own role entity and populate either on demand or by synching it regularly…
Or as the SSO module is using the account entity you could add a calculated attribute to account, and have that filled by a microflow. Then you could add all the roles in a single string.
Note that calculated attributes do have some performance impact..
You could also setup your own role entity, associate it to account and override the createrole (and other role behavior) from the SSO module to not only create the system.role but also your own role….