Role download requires configuring policy related CLI, which are a part of the global configuration. This is not an issue on a standalone controller. However, in case of a master-local setup, most of the policy related CLIs cannot be configured on the local since they are blocked. In case of downloadable roles, these CLI should be allowed on the local. This is a departure from the current design of the master pushing the configuration to the locals. This design cannot be applied here, since the local controllers contact the Radius servers directly and not through the master, the downloaded roles cannot be saved and therefore cannot be propagated from the masters and there will be large delays for the downloaded happening through the master. This will cause the configuration on the local to get out-of-sync with the other locals and the master, but this is acceptable as the downloaded roles are treated as system roles and are not saved.
In case of downloadable roles on a master, when a configuration push is done from the master, the downloaded roles will not be sent to the locals.
In case of downloadable roles on the local and partial-configuration push from the master to a local, which does not touch the downloadable role, the configuration sync will happen without affecting the downloaded role.
In case of downloadable roles on the local, and a full-configuration push from the master, which can happen if explicitly done, or if some error occurs during partial config push, the downloaded roles will get removed and the users will fall into the logon role. A full-config push could get triggered in case of conflicting role-names or mismatch in ACE entries