Elytron should provide an option to create an adhoc/runas SecurityIdentity with role associtation. The current available options to create a SecurityIdentity, SecurityDomain.getCurrent().createAdHocIdentity() and  SecurityDomain.getCurrent().getCurrentSecurityIdentity().createRunAsIdentity() takes only the user principal as argument. I don't see any api like like SecurityDomain.getCurrent().createAdHocIdentity(Principal principal, String role). This will enable easier migration from Picketbox to Elytron.

Here's an example of how Picketbox lib is used to create a RunAsIdentity
 
RunAsIdentity identity = new RunAsIdentity(role, principal);
 
SecurityContext securityContext = SecurityContextAssociation.getSecurityContext();      

securityContext.setOutgoingRunAs(identity);
securityContext.setIncomingRunAs(identity);