If I understand correctly, roles that have include-all=true in their role mappings should be added to all authenticated users. In my tests, though, this only works in standalone mode.

In domain mode, if I set a role mapping to include-all, this setting is not reflected (at least not immediately; maybe it would work after restart, but that's wrong anyway). It doesn't matter which role is set to be include-all – in my tests, I use both standard roles and scoped roles and it consistently doesn't work. There's probably some wrong caching going on.

The failing test case is in my pull request https://github.com/wildfly/wildfly/pull/5166 (it's the RBAC tests for include-all role mappings in domain commit). If it's more convenient, the pull request is the same as my rbac branch (https://github.com/Ladicek/wildfly/commits/rbac).

Darran, I'm not sure if you are the right assignee – please reassign if needed. Thanks.