[GSS](7.1.0) EAP RBAC domain mode, "Deployer" role and constraints

Hi,

https://access.redhat.com/support/cases/01699736
https://access.redhat.com/solutions/1189913

We have a cu who wants the "Deployer" role in RBAC to be able to create
datasources and set the username/password. (not read, only write)

In standalone mode this is no problem.

• set the management interface to use LDAP, authentication + authorization
• enable RBAC, add "Deployer" with some user in it.
• grant the needed constraints as summarized in the above "solutions"
  article.
  => works as expected, the Deployer user can add the ds including the u/p.

However, we then move to domain mode:

• 2x EAP 6.4.10 installation, setup as master-slave
• on each controller, added one instance using a server-group set to
  "full-ha" profile
• RBAC/LDAP setup with a user in the "Deployer" role (and one in SuperUser)
• applied the constraints
• added a JDBC driver (module + driver) to "full-ha" and to "full" profiles
• restarted the whole setup

trying to add a datasource into the (active) "full-ha" fails with:

[domain@orac.usersys.redhat.com:9999 /]
/profile=full-ha/subsystem=datasources/data-source=oracle12DS:add(jndi-name="java:jboss/datasources/oracle12DS",use-ccm=true,connection-url="jdbc:oracle:thin:@zen.usersys.redhat.com:1521/ora12",driver-name=oracle,user-name=tom,password=tom,pool-prefill=true,min-pool-size=2,max-pool-size=10,pool-use-strict-min=true,valid-connection-checker-class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker",stale-connection-checker-class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleStaleConnectionChecker",exception-sorter-class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter",validate-on-match=true)
{
"outcome" => "failed",
"result" => undefined,
"failure-description" => "JBAS010839: Operation failed or was
rolled back on all servers.",
"rolled-back" => true,
"server-groups" => {"slaves" => {"host" => {
"master" => {"i1" => {"response" =>

{ "outcome" => "failed", "failure-description" => "JBAS013456: Unauthorized to execute operation 'add' for resource '[ (\"subsystem\" => \"datasources\"), (\"data-source\" => \"oracle12DS\") ]' -- \"JBAS013475: Permission denied\"", "rolled-back" => true }

}},
"slave1" => {"i2" => {"response" =>

{ "outcome" => "failed", "result" => undefined, "failure-description" => "JBAS013456: Unauthorized to execute operation 'add' for resource '[ (\"subsystem\" => \"datasources\"), (\"data-source\" => \"oracle12DS\") ]' -- \"JBAS013475: Permission denied\"", "rolled-back" => true }

}}
}}}
}

Repeating without username/password also gives the same error. So it
would seem that it's not even the sensitivity constraints but something
before.

Repeat the same on a non-active "full" profile -> the datasource
(including u/p) is created as requested.