Set up domain mode. Enable RBAC /core-service=management/access=authorization:write-attribute(name=provider,value=rbac) Add scoped role: /core-service=management/access=authorization/server-group-scoped-role=DeployerIntegration:add(base-role=Administrator,server-groups= [main-server-group] ) /core-service=management/access=authorization/role-mapping=DeployerIntegration:add() /core-service=management/access=authorization/role-mapping=DeployerIntegration/include=user1:add(name=user1,realm=ManagementRealm,type=USER) Add another scoped role (similarly to the steps above) based on Monitor for other-server-group and assign this role to user1. Log in as user1 to admin console, go to the group configuration page, view other-server-group and than view main-server-group. user1 cannot edit the system properties of main-server-group, the "add" and "remove" button are not visible to the user. "clear" button from JVM configuration on the same page is also missing.