diff --git a/pillar/web/users/forms.py b/pillar/web/users/forms.py
index 15293c4a..e6efe659 100644
--- a/pillar/web/users/forms.py
+++ b/pillar/web/users/forms.py
@@ -59,21 +59,19 @@ class UserSettingsEmailsForm(Form):
         'Notifications', choices=choices, coerce=int)
 
 
-# TODO: refactor roles to be obtainable from the Pillar application.
+class RolesField(SelectMultipleField):
+    def __init__(self, label=None, validators=None, coerce=str, **kwargs):
+        role_choices = [(r, r) for r in sorted(self.form_roles())]
+        super().__init__(label=label, validators=validators, coerce=coerce,
+                         choices=role_choices, **kwargs)
+
+    @classmethod
+    def form_roles(cls) -> set:
+        """Returns the set of roles used in this form."""
+
+        from pillar import current_app
+        return current_app.user_roles
+
+
 class UserEditForm(Form):
-    ROLES = [
-        'admin',
-        'badger',
-        'demo',
-        'flamenco-admin',
-        'flamenco_manager',
-        'flamenco-user',
-        'homeproject',
-        'protected',
-        'service',
-        'subscriber',
-        'svner',
-        'urler',
-    ]
-    role_choices = [(r, r) for r in ROLES]
-    roles = SelectMultipleField('Roles', choices=role_choices)
+    roles = RolesField('Roles')
diff --git a/pillar/web/users/routes.py b/pillar/web/users/routes.py
index 59f4da80..3509c5f3 100644
--- a/pillar/web/users/routes.py
+++ b/pillar/web/users/routes.py
@@ -243,7 +243,7 @@ def _users_edit(form, user, api):
     roles_in_form = set(form.roles.data)
 
     granted_roles = roles_in_form - current_user_roles
-    revoked_roles = set(UserEditForm.ROLES) - roles_in_form
+    revoked_roles = forms.RolesField.form_roles() - roles_in_form
 
     # role_to_group_id contains ObjectIDs, but the SDK works with strings.
     granted_groups = {str(role_to_group_id[role])