Trying to update the test for https://issues.redhat.com/browse/WFLY-16387 / https://github.com/wildfly/wildfly/pull/15717 to check the output of the whois operation, I see inconsistent results for what SecurityIdentity is used when switching from the ApplicationDomain to the ManagementDomain. The files in question are attached and can be used to override the ones in the PR (AbstractJmxAccessFromDeploymentWithRbacTest.java + JmxResource.java). Also https://github.com/kabir/wildfly/pull/new/rbac-core-mbeans-16387-follow-up contains the changes.

To attempt to summarise, the tests are run in three setups. Each setup accesses the platform mbean server, and also does an access via a remote mbean server connection. For the remote case, the results are consistent and becomes $local in each setup.

The setups and results for switched security identity when using the platform mbean server are:

• Mapping the anonymous identity to RBAC superuser: Here the security identity is 'anonymous' as expected

• Doing the RBAC role mapping via 

  /core-service=management/access=authorization:write-attribute(name=use-identity-roles,value=true) 

  and having the ManagementRealm manage the SuperUser the principal is 'kabir' as expected.

• Doing the RBAC role mapping via 

  /core-service=management/access=authorization/role-mapping=SuperUser/include=user-kabir:add(name=kabir,type=USER) 

  the principal is 'anonymous' but I would expect 'kabir'.