1) Start the EAP in standalone or domain mode and connect to CLI and create a user with Deployer or Maintainer role

~~~

• Create a user named "maintainer" using adduser.sh, then follow below steps to add it to the maintainer role

/core-service=management/access=authorization/role-mapping=Maintainer:add()
/core-service=management/access=authorization/role-mapping=Maintainer/include=maintainer:add(name=maintainer, type=user)
/core-service=management/access=authorization:write-attribute(name=provider, value=rbac)
reload

~~~

2) Apply application constraint to data-sources

~~~
/core-service=management/access=authorization/constraint=application-classification/type=datasources/classification=data-source:write-attribute(name=configured-application,value=true)
/core-service=management/access=authorization/constraint=application-classification/type=datasources/classification=xa-data-source:write-attribute(name=configured-application,value=true)
~~~

3) Set sensitivity-constraints to false for security credential requires-write

~~~
/core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=credential:write-attribute(name=configured-requires-write,value=false)
/core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=security-domain-ref:write-attribute(name=configured-requires-write,value=false)

/core-service=management/access=authorization/constraint=sensitivity-classification/type=datasources/classification=data-source-security:write-attribute(name=configured-requires-write,value=false)
/core-service=management/access=authorization/constraint=sensitivity-classification/type=datasources/classification=data-source-security:write-attribute(name=configured-requires-read,value=false)
~~~

4) Try to read / write the datasource's user-name and password:

[standalone@localhost:9990 /] /subsystem=datasources/data-source=ExampleDS:write-attribute(name=user-name, sa)
{
    "outcome" => "failed",
    "result" => undefined,
    "failure-description" => "WFLYCTL0313: Unauthorized to execute operation 'write-attribute' for resource '[
    (\"subsystem\" => \"datasources\"),
    (\"data-source\" => \"ExampleDS\")
]' -- \"WFLYCTL0332: Permission denied\"",
    "rolled-back" => true
}

        <access-control provider="rbac">
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="$local"/>
                    </include>
                </role>
                <role name="Maintainer">
                    <include>
                        <user alias="maintainer" name="maintainer"/>
                    </include>
                </role>
            </role-mapping>
            <constraints>
                <sensitive-classifications>
                    <sensitive-classification type="core" name="credential" requires-write="false"/>
                    <sensitive-classification type="core" name="security-domain-ref" requires-write="false"/>
                    <sensitive-classification type="datasources" name="data-source-security" requires-addressable="false" requires-read="false" requires-write="false"/>

                </sensitive-classifications>
                <application-classifications>
                    <application-classification type="datasources" name="data-source" application="true"/>
                    <application-classification type="datasources" name="xa-data-source" application="true"/>
                </application-classifications>
            </constraints>
        </access-control>