The odata access role was carried forward from Teiid to Teiid Spring Boot. We should rethink this.
I think the reason it was originally added was for installs that were not using data roles it ensured that odata access was not wide open. It also introduced the complexity that it could be using a different security domain that the default.
It's simplest to just remove the role requirement. As we've refined things we now are using the same realm through out and a single client for both odata and pg/jdbc access. Since it's very easy to add grant all roles to properly permissioned users or simple grant all read-only access, it does not seem necessary to further restrict odata access at the teiid level.