Running standlone server with standalone-auth.xml. I changed only identity-role-mapper to cluster-role-mapper and then try to do following from console
[standalone@localhost:9999 cache-container=local] cache secured
[standalone@localhost:9999 local-cache=secured] roles

I got UnsupportedOperationException
16:36:24,259 ERROR [org.infinispan.cli.interpreter.Interpreter] (management-handler-thread - 1) ISPN019003: Interpreter error: java.lang.UnsupportedOperationException
        at org.infinispan.security.impl.ClusterRoleMapper.listAll(ClusterRoleMapper.java:69) [infinispan-core-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1]
        at org.infinispan.cli.interpreter.statement.RolesStatement.execute(RolesStatement.java:41) [infinispan-cli-server-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1]
        at org.infinispan.cli.interpreter.Interpreter.execute(Interpreter.java:149) [infinispan-cli-server-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1]
        at org.infinispan.server.infinispan.SecurityActions$5.run(SecurityActions.java:164) [infinispan-server-infinispan-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1]
        at org.infinispan.server.infinispan.SecurityActions$5.run(SecurityActions.java:161) [infinispan-server-infinispan-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1]
        at org.infinispan.security.Security.doPrivileged(Security.java:89) [infinispan-core-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1]
        at org.infinispan.server.infinispan.SecurityActions.doPrivileged(SecurityActions.java:53) [infinispan-server-infinispan-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1]
        at org.infinispan.server.infinispan.SecurityActions.executeInterpreter(SecurityActions.java:167) [infinispan-server-infinispan-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1]
        at org.jboss.as.clustering.infinispan.subsystem.CliInterpreterHandler.execute(CliInterpreterHandler.java:49) [infinispan-server-infinispan-6.1.0.ER7-redhat-1.jar:6.1.0.ER7-redhat-1]
        at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:601) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
        at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:479) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
        at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:283) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
        at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:278) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
        at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:231) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
        at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:137) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
        at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:173) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
        at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$300(ModelControllerClientOperationHandler.java:105) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
        at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:125) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
        at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:121) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]
        at javax.security.auth.Subject.doAs(Subject.java:415) [rt.jar:1.7.0_51]
        at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:94) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
        at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:121) [jboss-as-controller-7.3.3.Final-redhat-3.jar:7.3.3.Final-redhat-3]
        at org.jboss.as.protocol.mgmt.AbstractMessageHandler$2$1.doExecute(AbstractMessageHandler.java:283)
        at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:504)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]
        at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]
        at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.1.Final-redhat-1.jar:2.1.1.Final-redhat-1]

Vitalii, this works on CR1. Please always test with the latest release.

Created attachment 914652 [details]
hotrod secured with fix for users without roles

1) roles command is not showing users and roles correctly
Added two users
bin/add-user.sh -a -u user1 -p qwer1234@
bin/add-user.sh -a -u user2 -p qwer1234@

[standalone@localhost:9999 cache-container=local] roles
<<< Here should be map that user1 and user2 have no roles
[standalone@localhost:9999 cache-container=local] cache teams
[standalone@localhost:9999 local-cache=teams] grant writer to user1
[standalone@localhost:9999 local-cache=teams] grant reader to user2
[standalone@localhost:9999 local-cache=teams] roles
[reader][writer]
<<< So we actually do not see map {user, [roles]}, we see only that writer role is granted to some user and reader role is assigned to some user
2) Wrong roles are mapped to user
If I try to run hotrod-secured quickstart and call "grant writer to user1" I got following output from quickstart
Enter username: user1
Enter password: qwer1234@
Choose action:
=============
at  -  add a team
ap  -  add a player to a team
rt  -  remove a team
rp  -  remove a player from a team
p   -  print all teams and players
q   -  quit
>at
Enter team name: Real
ACCESS DENIED: at, PERMISSION RESTRICTED

So that means I cant write to cache, 
But When I call "grant reader role to user1" then I am able to write to cache
>at
Enter team name: Real
>p
=== Team: Real ===
Players:
>ap
Enter team name: p1
The specified team "p1" does not exist, choose next operation
>ap
Enter team name: Real
Enter player's name(to stop adding, type "q"): p1
Enter player's name(to stop adding, type "q"): p2
Enter player's name(to stop adding, type "q"): p3
Enter player's name(to stop adding, type "q"): p4
Enter player's name(to stop adding, type "q"): p5
Enter player's name(to stop adding, type "q"): q
>p
=== Team: Real ===
Players:
- p1
- p2
- p3
- p4
- p5
>
3) Users not specified in ApplicationRealm should be now allowed to grant roles
[standalone@localhost:9999 local-cache=teams] grant reader to user3
[standalone@localhost:9999 local-cache=teams] roles
[reader][reader][reader, writer]

Use quickstart from attachment

Created attachment 914654 [details]
Add server configuration for quickstart

So I tested it again and this seems to work. In quickstart I use get() operation so I need [reader, writer] roles to be specified to add some new entries to cache.