In the following configuration, I am setting a decoder but this decoder impacts both realms so the identity in the mgmt-groups.properties has to be the alias in the trustore.
I would like to set an X500-decoder on the ManagementRealm only in order to extract the CN and use this value as the identity name.

RBAC:

<access-control provider="rbac">
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="$local"/>
                        <group alias="alias" name="TOTOGroup"/>
                    </include>
                </role>
            </role-mapping>
        </access-control>

Content of groups.properties:

52cd941b-abd2-46a4-a855-2634ca9a584e=TOTOGroup,

Key-store has an alias: 52cd941b-abd2-46a4-a855-2634ca9a584e

key-store realm: <key-store-realm name="ks-realm-trust-store-52cd941b-abd2-46a4-a855-2634ca9a584e" key-store="trust-store-52cd941b-abd2-46a4-a855-2634ca9a584e"/>

Aggregated realm: <aggregate-realm name="ag1" authentication-realm="ks-realm-trust-store-52cd941b-abd2-46a4-a855-2634ca9a584e" authorization-realm="ManagementRealm"/>

ManagementRealm is the out of the box one.

SASL-FACTORY:

<sasl-authentication-factory name="sasl-factory" sasl-server-factory="configured" security-domain="security-domain">
                    <mechanism-configuration>
                        <mechanism mechanism-name="EXTERNAL" realm-mapper="ag1"/>
                    </mechanism-configuration>
                </sasl-authentication-factory>

Security-domain:

<security-domain name="security-domain" permission-mapper="default-permission-mapper">
                    <realm name="ag1" principal-transformer="decoder" role-decoder="groups-to-roles"/>
</security-domain>

Transformer:

<constant-principal-decoder name="decoder" constant="52cd941b-abd2-46a4-a855-2634ca9a584e"/>

SSL CONTEXT:

<server-ssl-contexts>
                    <server-ssl-context name="ssl-context-cd503664-708d-42fc-8453-c24455924bf6" cipher-suite-filter="DEFAULT" protocols="TLSv1.2" want-client-auth="false" need-client-auth="true" authentication-optional="false" use-cipher-suites-order="false" key-manager="key-manager-cd503664-708d-42fc-8453-c24455924bf6" trust-manager="key-manager-trust-store-52cd941b-abd2-46a4-a855-2634ca9a584e"/>
                </server-ssl-contexts>