When I set map-groups-to-roles attribute to true in a security realm, the user still doesn't get the role (with name matching to Group) assigned. Reproducer: 1) Add "admin" user with "SuperUser" group to Management interface: ./add-user.sh -u admin -p admin.1234 -r ManagementRealm -g SuperUser 2) use CLI to set map-groups-to-roles flag, remove local authentication and enable RBAC: (this step will probably finish with CLI freeze due to bug 1149099) ./jboss-cli.sh -c << EOF /core-service=management/security-realm=ManagementRealm:write-attribute(name=map-groups-to-roles,value=true) /core-service=management/security-realm=ManagementRealm/authentication=local:remove /core-service=management/access=authorization:write-attribute(name=provider, value=rbac) /core-service=management/access=authorization:write-attribute(name=permission-combination-policy, value=permissive) reload EOF 3) run any command (e.g. ls) in CLI: ./jboss-cli.sh --user=admin --password=admin.1234 -c ls Output: Failed to fetch the list of children: { "outcome" => "failed", "failure-description" => "JBAS013456: Unauthorized to execute operation 'composite' for resource '[]' -- \"JBAS013475: Permission denied\"", "rolled-back" => true }
The ability to automatically assume a 1:1 mapping between groups and roles is not supported for domain management access control and was deliberately disabled under the following issue: - https://issues.jboss.org/browse/WFLY-2063 The configuration that is present on the realm is there for the benefit of applications where there is a need to automatically map 1:1 from group membership to role names.