diff --git a/controller/src/main/java/org/jboss/as/controller/AbstractControllerService.java b/controller/src/main/java/org/jboss/as/controller/AbstractControllerService.java
index e77125eefdac..a6f594e2596f 100644
--- a/controller/src/main/java/org/jboss/as/controller/AbstractControllerService.java
+++ b/controller/src/main/java/org/jboss/as/controller/AbstractControllerService.java
@@ -331,7 +331,13 @@ public void run() {
                 }
             }
         };
-        injectedExecutorService.getValue().execute(r);
+        ExecutorService executorService = injectedExecutorService.getOptionalValue();
+        if (executorService != null) {
+            injectedExecutorService.getValue().execute(r);
+        } else {
+            Thread executorShutdown = new Thread(r, getClass().getSimpleName() + " Shutdown Thread");
+            executorShutdown.start();
+        }
     }
 
     /**
diff --git a/controller/src/main/java/org/jboss/as/controller/access/Authorizer.java b/controller/src/main/java/org/jboss/as/controller/access/Authorizer.java
index 7ddbddbc755c..c93df084f9c5 100644
--- a/controller/src/main/java/org/jboss/as/controller/access/Authorizer.java
+++ b/controller/src/main/java/org/jboss/as/controller/access/Authorizer.java
@@ -22,7 +22,6 @@
 
 package org.jboss.as.controller.access;
 
-
 import java.util.Set;
 
 /**
@@ -72,20 +71,16 @@ public interface Authorizer {
     AuthorizationResult authorizeJmxOperation(Caller caller, Environment callEnvironment, JmxAction action);
 
     /**
-     * Gets whether the given caller can run in the given role.
+     * Gets the set of roles the caller can run as taking into account and requested 'run as' roles.
      *
-     * @param roleName the name of the role. Cannot be {@code null}
      * @param caller the caller. Cannot be {@code null}
      * @param callEnvironment the call environment. Cannot be {@code null}
-     * @param operationHeaderRoles any roles specified as headers in the operation. May be {@code null}
+     * @param runAsRoles any requested 'run as' roles. May be {@code null}
      *
-     * @return {@code true} if the caller maps to the given role in the given environment. {@code false} if the
-     *         caller does not map to the role for whatever reason, including because the authorizer implementation
-     *         is not {@link AuthorizerDescription#isRoleBased() role based} or because the implementation does not support mapping roles
-     *         without {@link Action}, {@link JmxAction}, {@link TargetResource} and/or {@link TargetAttribute}
-     *         information.
+     * @return The set of roles assigned to the caller, an empty set may be returned of no roles are assigned or {@code null}
+     *         may be returned if the access control provider does not support role mapping.
      */
-    boolean isCallerInRole(String roleName, Caller caller, Environment callEnvironment, Set<String> operationHeaderRoles);
+    Set<String> getCallerRoles(Caller caller, Environment callEnvironment, Set<String> runAsroles);
 
     /**
      * Description of standard information about the custom authorizer.
diff --git a/controller/src/main/java/org/jboss/as/controller/access/management/DelegatingConfigurableAuthorizer.java b/controller/src/main/java/org/jboss/as/controller/access/management/DelegatingConfigurableAuthorizer.java
index cc2d54a32444..18761433e40b 100644
--- a/controller/src/main/java/org/jboss/as/controller/access/management/DelegatingConfigurableAuthorizer.java
+++ b/controller/src/main/java/org/jboss/as/controller/access/management/DelegatingConfigurableAuthorizer.java
@@ -79,8 +79,8 @@ public void setDelegate(Authorizer delegate) {
     }
 
     @Override
-    public boolean isCallerInRole(String roleName, Caller caller, Environment callEnvironment, Set<String> operationHeaderRoles) {
-        return delegate.isCallerInRole(roleName, caller, callEnvironment, operationHeaderRoles);
+    public Set<String> getCallerRoles(Caller caller, Environment callEnvironment, Set<String> runAsroles) {
+        return delegate.getCallerRoles(caller, callEnvironment, runAsroles);
     }
 
     @Override
diff --git a/controller/src/main/java/org/jboss/as/controller/access/management/WritableAuthorizerConfiguration.java b/controller/src/main/java/org/jboss/as/controller/access/management/WritableAuthorizerConfiguration.java
index 23410338b85e..c0f6c3aec813 100644
--- a/controller/src/main/java/org/jboss/as/controller/access/management/WritableAuthorizerConfiguration.java
+++ b/controller/src/main/java/org/jboss/as/controller/access/management/WritableAuthorizerConfiguration.java
@@ -34,6 +34,7 @@
 import org.jboss.as.controller.access.Authorizer;
 import org.jboss.as.controller.access.AuthorizerConfiguration;
 import org.jboss.as.controller.access.Caller;
+import org.jboss.as.controller.access.rbac.StandardRBACAuthorizer;
 
 /**
  * Standard {@link AuthorizerConfiguration} implementation that also exposes mutator APIs for use by
@@ -51,11 +52,33 @@ public class WritableAuthorizerConfiguration implements AuthorizerConfiguration
     private volatile RoleMaps roleMaps;
     private final Set<ScopedRoleListener> scopedRoleListeners = new LinkedHashSet<ScopedRoleListener>();
 
-    WritableAuthorizerConfiguration(Authorizer.AuthorizerDescription authorizerDescription) {
+    public WritableAuthorizerConfiguration(Authorizer.AuthorizerDescription authorizerDescription) {
         this.authorizerDescription = authorizerDescription;
         this.roleMaps = new RoleMaps(authorizerDescription.getStandardRoles(), Collections.<String, ScopedRole>emptyMap());
     }
 
+    /**
+     * Reset the internal state of this object back to what it originally was.
+     * Only to be used in a slave host controller following a post-boot reconnect
+     * to the master.
+     */
+    public synchronized void domainReconnectReset() {
+        this.authorizerDescription = StandardRBACAuthorizer.AUTHORIZER_DESCRIPTION;
+        this.useRealmRoles = this.nonFacadeMBeansSensitive = false;
+        this.roleMappings = new HashMap<String, RoleMappingImpl>();
+        RoleMaps oldRoleMaps = this.roleMaps;
+        this.roleMaps = new RoleMaps(authorizerDescription.getStandardRoles(), Collections.<String, ScopedRole>emptyMap());
+        for (ScopedRole role : oldRoleMaps.scopedRoles.values()) {
+            for (ScopedRoleListener listener : scopedRoleListeners) {
+                try {
+                    listener.scopedRoleRemoved(role);
+                } catch (Exception ignored) {
+                    // TODO log an ERROR
+                }
+            }
+        }
+    }
+
     public synchronized void registerScopedRoleListener(ScopedRoleListener listener) {
         scopedRoleListeners.add(listener);
     }
diff --git a/controller/src/main/java/org/jboss/as/controller/access/permission/ManagementPermissionAuthorizer.java b/controller/src/main/java/org/jboss/as/controller/access/permission/ManagementPermissionAuthorizer.java
index 6241edff9317..5aad181bc0b5 100644
--- a/controller/src/main/java/org/jboss/as/controller/access/permission/ManagementPermissionAuthorizer.java
+++ b/controller/src/main/java/org/jboss/as/controller/access/permission/ManagementPermissionAuthorizer.java
@@ -130,9 +130,9 @@ public AuthorizationResult authorizeJmxOperation(Caller caller, Environment call
     }
 
     @Override
-    public boolean isCallerInRole(String roleName, Caller caller, Environment callEnvironment, Set<String> operationHeaderRoles) {
+    public Set<String> getCallerRoles(Caller caller, Environment callEnvironment, Set<String> runAsroles) {
         // Not supported in this base class; see StandardRBACAuthorizer
-        return false;
+        return null;
     }
 
     private AuthorizationResult authorize(Set<String> callerRoles, StandardRole...roles) {
diff --git a/controller/src/main/java/org/jboss/as/controller/access/rbac/StandardRBACAuthorizer.java b/controller/src/main/java/org/jboss/as/controller/access/rbac/StandardRBACAuthorizer.java
index 1fc900f69816..7510bcf16ab5 100644
--- a/controller/src/main/java/org/jboss/as/controller/access/rbac/StandardRBACAuthorizer.java
+++ b/controller/src/main/java/org/jboss/as/controller/access/rbac/StandardRBACAuthorizer.java
@@ -91,18 +91,8 @@ private StandardRBACAuthorizer(final AuthorizerConfiguration configuration,
     }
 
     @Override
-    public boolean isCallerInRole(String roleName, Caller caller, Environment callEnvironment, Set<String> operationHeaderRoles) {
-        Set<String> mappedRoles = roleMapper.mapRoles(caller, callEnvironment, operationHeaderRoles);
-        if (mappedRoles.contains(roleName)) {
-            return true;
-        } else {
-            for (String role : mappedRoles) {
-                if (role.equalsIgnoreCase(roleName)) {
-                    return true;
-                }
-            }
-        }
-        return false;
+    public Set<String> getCallerRoles(Caller caller, Environment callEnvironment, Set<String> runAsroles) {
+        return roleMapper.mapRoles(caller, callEnvironment, runAsroles);
     }
 
     @Override
diff --git a/controller/src/main/java/org/jboss/as/controller/extension/ExtensionRegistry.java b/controller/src/main/java/org/jboss/as/controller/extension/ExtensionRegistry.java
index bf9965264a35..6ede9e86d78e 100644
--- a/controller/src/main/java/org/jboss/as/controller/extension/ExtensionRegistry.java
+++ b/controller/src/main/java/org/jboss/as/controller/extension/ExtensionRegistry.java
@@ -1079,8 +1079,8 @@ public AuthorizationResult authorizeJmxOperation(Caller caller, Environment call
         }
 
         @Override
-        public boolean isCallerInRole(String roleName, Caller caller, Environment callEnvironment, Set<String> operationHeaderRoles) {
-            return false;
+        public Set<String> getCallerRoles(Caller caller, Environment callEnvironment, Set<String> runAsroles) {
+            return null;
         }
 
         @Override
diff --git a/core-model-test/framework/src/main/java/org/jboss/as/core/model/test/TestModelControllerService.java b/core-model-test/framework/src/main/java/org/jboss/as/core/model/test/TestModelControllerService.java
index 367db4e09d5f..88144c5b38e0 100755
--- a/core-model-test/framework/src/main/java/org/jboss/as/core/model/test/TestModelControllerService.java
+++ b/core-model-test/framework/src/main/java/org/jboss/as/core/model/test/TestModelControllerService.java
@@ -463,7 +463,7 @@ public void initCoreModel(Resource rootResource, ManagementResourceRegistration
                         @Override
                         public void registerHostModel(String hostName, ManagementResourceRegistration rootRegistration) {
                         }
-                    },ProcessType.HOST_CONTROLLER);
+                    },ProcessType.HOST_CONTROLLER, authorizer);
 
             HostModelUtil.createHostRegistry(
                     hostName,
@@ -516,7 +516,7 @@ public void initCoreModel(Resource rootResource, ManagementResourceRegistration
                         @Override
                         public void registerHostModel(String hostName, ManagementResourceRegistration root) {
                         }
-                    },processType);
+                    },processType, authorizer);
         }
 
     }
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/CoreManagementResourceDefinition.java b/domain-management/src/main/java/org/jboss/as/domain/management/CoreManagementResourceDefinition.java
index 1263a67ec283..a97f01a27903 100644
--- a/domain-management/src/main/java/org/jboss/as/domain/management/CoreManagementResourceDefinition.java
+++ b/domain-management/src/main/java/org/jboss/as/domain/management/CoreManagementResourceDefinition.java
@@ -36,6 +36,7 @@
 import org.jboss.as.controller.access.management.DelegatingConfigurableAuthorizer;
 import org.jboss.as.controller.audit.ManagedAuditLogger;
 import org.jboss.as.controller.registry.ManagementResourceRegistration;
+import org.jboss.as.controller.registry.Resource;
 import org.jboss.as.controller.services.path.PathManagerService;
 import org.jboss.as.domain.management._private.DomainManagementResolver;
 import org.jboss.as.domain.management.access.AccessAuthorizationResourceDefinition;
@@ -56,6 +57,12 @@ public class CoreManagementResourceDefinition extends SimpleResourceDefinition {
 
     public static final PathElement PATH_ELEMENT = PathElement.pathElement(CORE_SERVICE, MANAGEMENT);
 
+    public static void registerDomainResource(Resource parent) {
+        Resource coreManagement = Resource.Factory.create();
+        coreManagement.registerChild(AccessAuthorizationResourceDefinition.PATH_ELEMENT, AccessAuthorizationResourceDefinition.RESOURCE);
+        parent.registerChild(PATH_ELEMENT, coreManagement);
+    }
+
     private final Environment environment;
     private final List<ResourceDefinition> interfaces;
     private final DelegatingConfigurableAuthorizer authorizer;
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/ModelDescriptionConstants.java b/domain-management/src/main/java/org/jboss/as/domain/management/ModelDescriptionConstants.java
index 10bcd988c7da..cf9b14dd7a72 100644
--- a/domain-management/src/main/java/org/jboss/as/domain/management/ModelDescriptionConstants.java
+++ b/domain-management/src/main/java/org/jboss/as/domain/management/ModelDescriptionConstants.java
@@ -43,6 +43,7 @@ public class ModelDescriptionConstants {
     public static final String KEYSTORE_PATH = "keystore-path";
     public static final String KEYSTORE_RELATIVE_TO = "keystore-relative-to";
     public static final String LOCAL = "local";
+    public static final String MAPPED_ROLES = "mapped-roles";
     public static final String MECHANISM = "mechanism";
     public static final String NAME = "name";
     public static final String PASSWORD = "password";
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/access/AbstractClassificationResource.java b/domain-management/src/main/java/org/jboss/as/domain/management/access/AbstractClassificationResource.java
index 43ae0e2254b9..6e60bf114cd7 100644
--- a/domain-management/src/main/java/org/jboss/as/domain/management/access/AbstractClassificationResource.java
+++ b/domain-management/src/main/java/org/jboss/as/domain/management/access/AbstractClassificationResource.java
@@ -46,8 +46,7 @@ public ModelNode getModel() {
 
     @Override
     public void writeModel(ModelNode newModel) {
-        //TODO i18n
-        throw new IllegalStateException("Not writable");
+        // called in slave host boot; ignore this unless overridden
     }
 
     @Override
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/access/AccessAuthorizationDomainSlaveConfigHandler.java b/domain-management/src/main/java/org/jboss/as/domain/management/access/AccessAuthorizationDomainSlaveConfigHandler.java
new file mode 100644
index 000000000000..994ba2c7da02
--- /dev/null
+++ b/domain-management/src/main/java/org/jboss/as/domain/management/access/AccessAuthorizationDomainSlaveConfigHandler.java
@@ -0,0 +1,77 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2013, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+
+package org.jboss.as.domain.management.access;
+
+import org.jboss.as.controller.AttributeDefinition;
+import org.jboss.as.controller.OperationContext;
+import org.jboss.as.controller.OperationDefinition;
+import org.jboss.as.controller.OperationFailedException;
+import org.jboss.as.controller.OperationStepHandler;
+import org.jboss.as.controller.PathAddress;
+import org.jboss.as.controller.SimpleOperationDefinitionBuilder;
+import org.jboss.as.controller.access.management.DelegatingConfigurableAuthorizer;
+import org.jboss.as.controller.registry.OperationEntry;
+import org.jboss.as.domain.management._private.DomainManagementResolver;
+import org.jboss.dmr.ModelNode;
+
+/**
+ * Internal op called.
+ *
+ * @author Brian Stansberry (c) 2013 Red Hat Inc.
+ */
+public class AccessAuthorizationDomainSlaveConfigHandler implements OperationStepHandler {
+
+    public static final String OPERATION_NAME = "configure-from-domain";
+    public static final OperationDefinition DEFINITION = new SimpleOperationDefinitionBuilder(OPERATION_NAME, DomainManagementResolver.getResolver("core.access-control"))
+            .withFlag(OperationEntry.Flag.HOST_CONTROLLER_ONLY)
+            .setPrivateEntry()
+            .build();
+
+    private final DelegatingConfigurableAuthorizer configurableAuthorizer;
+
+    AccessAuthorizationDomainSlaveConfigHandler(DelegatingConfigurableAuthorizer configurableAuthorizer) {
+        this.configurableAuthorizer = configurableAuthorizer;
+    }
+
+    @Override
+    public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {
+        final ModelNode model = context.readResourceForUpdate(PathAddress.EMPTY_ADDRESS).getModel();
+        for (AttributeDefinition ad : AccessAuthorizationResourceDefinition.ATTRIBUTES) {
+            ad.validateAndSet(operation, model);
+        }
+        context.addStep(new OperationStepHandler() {
+            @Override
+            public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {
+
+                ModelNode provider = AccessAuthorizationResourceDefinition.PROVIDER.resolveModelAttribute(context, model);
+                AccessAuthorizationProviderWriteAttributeHander.updateAuthorizer(provider, configurableAuthorizer);
+                boolean useRealmRoles = AccessAuthorizationResourceDefinition.USE_REALM_ROLES.resolveModelAttribute(context, model).asBoolean();
+                configurableAuthorizer.getWritableAuthorizerConfiguration().setUseRealmRoles(useRealmRoles);
+
+                context.completeStep(OperationContext.RollbackHandler.NOOP_ROLLBACK_HANDLER);
+            }
+        }, OperationContext.Stage.RUNTIME);
+
+        context.stepCompleted();
+    }
+}
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/access/AccessAuthorizationProviderWriteAttributeHander.java b/domain-management/src/main/java/org/jboss/as/domain/management/access/AccessAuthorizationProviderWriteAttributeHander.java
index 7373258bbdb9..1de829da9614 100644
--- a/domain-management/src/main/java/org/jboss/as/domain/management/access/AccessAuthorizationProviderWriteAttributeHander.java
+++ b/domain-management/src/main/java/org/jboss/as/domain/management/access/AccessAuthorizationProviderWriteAttributeHander.java
@@ -31,8 +31,8 @@
 import org.jboss.as.controller.access.AuthorizerConfiguration;
 import org.jboss.as.controller.access.management.DelegatingConfigurableAuthorizer;
 import org.jboss.as.controller.access.rbac.RoleMapper;
-import org.jboss.as.controller.access.rbac.StandardRoleMapper;
 import org.jboss.as.controller.access.rbac.StandardRBACAuthorizer;
+import org.jboss.as.controller.access.rbac.StandardRoleMapper;
 import org.jboss.as.controller.access.rbac.SuperUserRoleMapper;
 import org.jboss.as.controller.registry.Resource;
 import org.jboss.as.domain.management.access.AccessAuthorizationResourceDefinition.Provider;
@@ -63,7 +63,7 @@ protected void finishModelStage(OperationContext context, ModelNode operation, S
              /*
               * As the provider is being set to RBAC we need to be sure roles can be assigned.
               */
-             RbacSanityCheckOperation.registerOperation(context);
+             RbacSanityCheckOperation.addOperation(context);
          }
     }
 
@@ -81,7 +81,7 @@ protected boolean applyUpdateToRuntime(OperationContext context, ModelNode opera
             if (!context.isBooting()) {
                 return true;
             }
-            updateAuthorizer(resolvedValue);
+            updateAuthorizer(resolvedValue, configurableAuthorizer);
         }
 
         return false;
@@ -90,10 +90,10 @@ protected boolean applyUpdateToRuntime(OperationContext context, ModelNode opera
     @Override
     protected void revertUpdateToRuntime(OperationContext context, ModelNode operation, String attributeName,
             ModelNode valueToRestore, ModelNode valueToRevert, Void handback) throws OperationFailedException {
-        updateAuthorizer(valueToRestore);
+        updateAuthorizer(valueToRestore, configurableAuthorizer);
     }
 
-    private void updateAuthorizer(final ModelNode value) {
+    static void updateAuthorizer(final ModelNode value, final DelegatingConfigurableAuthorizer configurableAuthorizer) {
         String providerName = value.asString().toUpperCase(Locale.ENGLISH);
         Provider provider = Provider.valueOf(providerName);
         AuthorizerConfiguration authorizerConfiguration = configurableAuthorizer.getWritableAuthorizerConfiguration();
@@ -101,19 +101,11 @@ private void updateAuthorizer(final ModelNode value) {
         if (provider == Provider.SIMPLE) {
             roleMapper = new SuperUserRoleMapper(authorizerConfiguration);
         } else {
-            roleMapper = getRoleBasedAuthorizer();
+            roleMapper = new StandardRoleMapper(configurableAuthorizer.getWritableAuthorizerConfiguration());
         }
         Authorizer delegate = StandardRBACAuthorizer.create(configurableAuthorizer.getWritableAuthorizerConfiguration(),
                 roleMapper);
         configurableAuthorizer.setDelegate(delegate);
     }
 
-    private RoleMapper getSimpleAuthorizer(AuthorizerConfiguration authorizerConfiguration) {
-        return new SuperUserRoleMapper(configurableAuthorizer.getWritableAuthorizerConfiguration());
-    }
-
-    private RoleMapper getRoleBasedAuthorizer() {
-        return new StandardRoleMapper(configurableAuthorizer.getWritableAuthorizerConfiguration());
-    }
-
 }
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/access/AccessAuthorizationResourceDefinition.java b/domain-management/src/main/java/org/jboss/as/domain/management/access/AccessAuthorizationResourceDefinition.java
index 484b18430869..7680f5b1e5fa 100644
--- a/domain-management/src/main/java/org/jboss/as/domain/management/access/AccessAuthorizationResourceDefinition.java
+++ b/domain-management/src/main/java/org/jboss/as/domain/management/access/AccessAuthorizationResourceDefinition.java
@@ -26,6 +26,9 @@
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.AUTHORIZATION;
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.ROLE;
 
+import java.util.Arrays;
+import java.util.List;
+
 import javax.xml.stream.XMLStreamException;
 import javax.xml.stream.XMLStreamWriter;
 
@@ -101,6 +104,8 @@ public void marshallAsElement(AttributeDefinition attribute, ModelNode resourceM
             .setDefaultValue(new ModelNode(false))
             .setAllowExpression(true).build();
 
+    public static final List<AttributeDefinition> ATTRIBUTES = Arrays.<AttributeDefinition>asList(PROVIDER, USE_REALM_ROLES);
+
     public static AccessAuthorizationResourceDefinition forDomain(DelegatingConfigurableAuthorizer configurableAuthorizer) {
         return new AccessAuthorizationResourceDefinition(configurableAuthorizer, true, false);
     }
@@ -173,6 +178,16 @@ public void registerChildren(ManagementResourceRegistration resourceRegistration
         }
     }
 
+    @Override
+    public void registerOperations(ManagementResourceRegistration resourceRegistration) {
+        super.registerOperations(resourceRegistration);
+        if (isDomain) {
+            // Op to apply config from the master to a slave
+            resourceRegistration.registerOperationHandler(AccessAuthorizationDomainSlaveConfigHandler.DEFINITION,
+                    new AccessAuthorizationDomainSlaveConfigHandler(configurableAuthorizer));
+        }
+    }
+
     private static Resource createResource() {
         Resource accessControlRoot =  Resource.Factory.create();
         accessControlRoot.registerChild(AccessConstraintResources.APPLICATION_PATH_ELEMENT, AccessConstraintResources.APPLICATION_RESOURCE);
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/access/AccessAuthorizationUseRealmRolesWriteAttributeHandler.java b/domain-management/src/main/java/org/jboss/as/domain/management/access/AccessAuthorizationUseRealmRolesWriteAttributeHandler.java
index 264c83968401..2b4735273b0c 100644
--- a/domain-management/src/main/java/org/jboss/as/domain/management/access/AccessAuthorizationUseRealmRolesWriteAttributeHandler.java
+++ b/domain-management/src/main/java/org/jboss/as/domain/management/access/AccessAuthorizationUseRealmRolesWriteAttributeHandler.java
@@ -53,7 +53,7 @@ protected void finishModelStage(OperationContext context, ModelNode operation, S
              * Using roles from the realm has been disabled so now need to check if there that RBAC has been disabled or an
              * alternative mapping strategy is in place.
              */
-            RbacSanityCheckOperation.registerOperation(context);
+            RbacSanityCheckOperation.addOperation(context);
         }
     }
 
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/access/ApplicationClassificationConfigResourceDefinition.java b/domain-management/src/main/java/org/jboss/as/domain/management/access/ApplicationClassificationConfigResourceDefinition.java
index 2c284f10f8cb..5d63222480eb 100644
--- a/domain-management/src/main/java/org/jboss/as/domain/management/access/ApplicationClassificationConfigResourceDefinition.java
+++ b/domain-management/src/main/java/org/jboss/as/domain/management/access/ApplicationClassificationConfigResourceDefinition.java
@@ -151,6 +151,20 @@ public ModelNode getModel() {
             return model;
         }
 
+        @Override
+        public void writeModel(ModelNode newModel) {
+            // Called on a slave host controller during boot
+            if (newModel.hasDefined(CONFIGURED_APPLICATION.getName())) {
+                boolean b = newModel.get(CONFIGURED_APPLICATION.getName()).asBoolean();
+                applicationType.setConfiguredApplication(b);
+            }
+        }
+
+        @Override
+        public boolean isModelDefined() {
+            return true;
+        }
+
         private ModelNode getBoolean(Boolean booleanValue) {
             if (booleanValue == null) {
                 return new ModelNode();
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/access/IsCallerInRoleOperation.java b/domain-management/src/main/java/org/jboss/as/domain/management/access/IsCallerInRoleOperation.java
index 3fa208401099..d4ca107118fe 100644
--- a/domain-management/src/main/java/org/jboss/as/domain/management/access/IsCallerInRoleOperation.java
+++ b/domain-management/src/main/java/org/jboss/as/domain/management/access/IsCallerInRoleOperation.java
@@ -33,6 +33,8 @@
 import org.jboss.as.controller.SimpleOperationDefinition;
 import org.jboss.as.controller.SimpleOperationDefinitionBuilder;
 import org.jboss.as.controller.access.Authorizer;
+import org.jboss.as.controller.access.Caller;
+import org.jboss.as.controller.access.Environment;
 import org.jboss.as.controller.access.rbac.RunAsRoleMapper;
 import org.jboss.as.domain.management._private.DomainManagementResolver;
 import org.jboss.dmr.ModelNode;
@@ -65,12 +67,28 @@ public void execute(OperationContext context, ModelNode operation) throws Operat
         } else {
             ModelNode result = context.getResult();
             Set<String> operationHeaderRoles = RunAsRoleMapper.getOperationHeaderRoles(operation);
-            result.set(authorizer.isCallerInRole(roleName, context.getCaller(), context.getCallEnvironment(), operationHeaderRoles));
+            result.set(isCallerInRole(roleName, context.getCaller(), context.getCallEnvironment(), operationHeaderRoles));
         }
 
         context.stepCompleted();
     }
 
+    private boolean isCallerInRole(String roleName, Caller caller, Environment callEnvironment, Set<String> operationHeaderRoles) {
+        Set<String> mappedRoles = authorizer.getCallerRoles(caller, callEnvironment, operationHeaderRoles);
+        if (mappedRoles == null) {
+            return false;
+        } else if (mappedRoles.contains(roleName)) {
+            return true;
+        } else {
+            for (String role : mappedRoles) {
+                if (role.equalsIgnoreCase(roleName)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
     public static OperationStepHandler create(final Authorizer authorizer) {
         return new IsCallerInRoleOperation(authorizer);
     }
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/access/PrincipalRemove.java b/domain-management/src/main/java/org/jboss/as/domain/management/access/PrincipalRemove.java
index d62516523b98..cae1b3ab1e1e 100644
--- a/domain-management/src/main/java/org/jboss/as/domain/management/access/PrincipalRemove.java
+++ b/domain-management/src/main/java/org/jboss/as/domain/management/access/PrincipalRemove.java
@@ -69,7 +69,7 @@ public void execute(OperationContext context, ModelNode operation) throws Operat
         context.removeResource(PathAddress.EMPTY_ADDRESS);
 
         if (matchType == WritableAuthorizerConfiguration.MatchType.INCLUDE) {
-            RbacSanityCheckOperation.registerOperation(context);
+            RbacSanityCheckOperation.addOperation(context);
         }
 
         registerRuntimeRemove(context, roleName, principalType, name, realm);
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/access/RbacSanityCheckOperation.java b/domain-management/src/main/java/org/jboss/as/domain/management/access/RbacSanityCheckOperation.java
index 255f36e95548..9aea3e3b696c 100644
--- a/domain-management/src/main/java/org/jboss/as/domain/management/access/RbacSanityCheckOperation.java
+++ b/domain-management/src/main/java/org/jboss/as/domain/management/access/RbacSanityCheckOperation.java
@@ -115,9 +115,9 @@ public Void run() throws OperationFailedException {
     }
 
     /**
-     * Register the operation at the end of Stage MODEL if this operation has not already been registered.
+     * Add the operation at the end of Stage MODEL if this operation has not already been registered.
      *
-     * This operation should be registered if any of the following occur: -
+     * This operation should be added if any of the following occur: -
      *   - map-group-to-roles is set to false on an existing security realm.
      *   - A security realm is removed.
      *   - The authorization configuration is removed from a security realm.
@@ -133,9 +133,9 @@ public Void run() throws OperationFailedException {
      *
      * @param context - The OperationContext to use to register the step.
      */
-    public static void registerOperation(final OperationContext context) {
-        RbacSanityCheckOperation registered = context.getAttachment(KEY);
-        if (registered == null) {
+    public static void addOperation(final OperationContext context) {
+        RbacSanityCheckOperation added = context.getAttachment(KEY);
+        if (added == null) {
             // TODO support managed domain
             if (!context.isNormalServer()) return;
             context.addStep(createOperation(), INSTANCE, Stage.MODEL);
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/access/RoleMappingRemove.java b/domain-management/src/main/java/org/jboss/as/domain/management/access/RoleMappingRemove.java
index 7ce8c5fa30fd..5698890b1ad5 100644
--- a/domain-management/src/main/java/org/jboss/as/domain/management/access/RoleMappingRemove.java
+++ b/domain-management/src/main/java/org/jboss/as/domain/management/access/RoleMappingRemove.java
@@ -60,7 +60,7 @@ public void execute(OperationContext context, ModelNode operation) throws Operat
         PathAddress address = PathAddress.pathAddress(operation.get(OP_ADDR));
         final String roleName = address.getLastElement().getValue().toUpperCase();
 
-        RbacSanityCheckOperation.registerOperation(context);
+        RbacSanityCheckOperation.addOperation(context);
 
         registerRuntimeRemove(context, roleName);
 
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/access/SensitivityResourceDefinition.java b/domain-management/src/main/java/org/jboss/as/domain/management/access/SensitivityResourceDefinition.java
index 17366e771ab3..3b8f279b61cf 100644
--- a/domain-management/src/main/java/org/jboss/as/domain/management/access/SensitivityResourceDefinition.java
+++ b/domain-management/src/main/java/org/jboss/as/domain/management/access/SensitivityResourceDefinition.java
@@ -214,6 +214,30 @@ public ModelNode getModel() {
             return model;
         }
 
+        @Override
+        public void writeModel(ModelNode newModel) {
+
+            // Called on a slave host controller during boot
+
+            if (newModel.hasDefined(CONFIGURED_REQUIRES_ADDRESSABLE.getName())) {
+                boolean b = newModel.get(CONFIGURED_REQUIRES_ADDRESSABLE.getName()).asBoolean();
+                classification.setConfiguredRequiresAccessPermission(b);
+            }
+            if (newModel.hasDefined(CONFIGURED_REQUIRES_READ.getName())) {
+                boolean b = newModel.get(CONFIGURED_REQUIRES_READ.getName()).asBoolean();
+                classification.setConfiguredRequiresReadPermission(b);
+            }
+            if (newModel.hasDefined(CONFIGURED_REQUIRES_WRITE.getName())) {
+                boolean b = newModel.get(CONFIGURED_REQUIRES_WRITE.getName()).asBoolean();
+                classification.setConfiguredRequiresWritePermission(b);
+            }
+        }
+
+        @Override
+        public boolean isModelDefined() {
+            return true;
+        }
+
         private ModelNode getBoolean(Boolean booleanValue) {
             if (booleanValue == null) {
                 return new ModelNode();
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/security/SecurityRealmChildRemoveHandler.java b/domain-management/src/main/java/org/jboss/as/domain/management/security/SecurityRealmChildRemoveHandler.java
index ff3f7b90663f..d21080bd748c 100644
--- a/domain-management/src/main/java/org/jboss/as/domain/management/security/SecurityRealmChildRemoveHandler.java
+++ b/domain-management/src/main/java/org/jboss/as/domain/management/security/SecurityRealmChildRemoveHandler.java
@@ -52,7 +52,7 @@ protected void updateModel(OperationContext context, ModelNode operation) throws
             context.addStep(validationOp, AuthenticationValidatingHandler.INSTANCE, OperationContext.Stage.MODEL);
         } // else we know the SecurityRealmAddHandler is part of this overall set of ops and it added AuthenticationValidatingHandler
         if (validateRbac) {
-            RbacSanityCheckOperation.registerOperation(context);
+            RbacSanityCheckOperation.addOperation(context);
         }
     }
 }
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/security/SecurityRealmMapGroupsAttributeWriteHandler.java b/domain-management/src/main/java/org/jboss/as/domain/management/security/SecurityRealmMapGroupsAttributeWriteHandler.java
index 80b807e3b60a..fa96e8ff04fa 100644
--- a/domain-management/src/main/java/org/jboss/as/domain/management/security/SecurityRealmMapGroupsAttributeWriteHandler.java
+++ b/domain-management/src/main/java/org/jboss/as/domain/management/security/SecurityRealmMapGroupsAttributeWriteHandler.java
@@ -50,7 +50,7 @@ protected void finishModelStage(OperationContext context, ModelNode operation, S
             ModelNode oldValue, Resource model) throws OperationFailedException {
         if ((oldValue.equals(newValue) == false) && newValue.isDefined() &&
                 (newValue.getType() == ModelType.EXPRESSION || newValue.asBoolean() == false)) {
-            RbacSanityCheckOperation.registerOperation(context);
+            RbacSanityCheckOperation.addOperation(context);
         }
         super.finishModelStage(context, operation, attributeName, newValue, oldValue, model);
     }
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/security/SecurityRealmRemoveHandler.java b/domain-management/src/main/java/org/jboss/as/domain/management/security/SecurityRealmRemoveHandler.java
index 21ae4eb71226..3f91957399e3 100644
--- a/domain-management/src/main/java/org/jboss/as/domain/management/security/SecurityRealmRemoveHandler.java
+++ b/domain-management/src/main/java/org/jboss/as/domain/management/security/SecurityRealmRemoveHandler.java
@@ -48,7 +48,7 @@ private SecurityRealmRemoveHandler() {
     public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {
         final ModelNode model = Resource.Tools.readModel(context.readResource(PathAddress.EMPTY_ADDRESS));
         context.removeResource(PathAddress.EMPTY_ADDRESS);
-        RbacSanityCheckOperation.registerOperation(context);
+        RbacSanityCheckOperation.addOperation(context);
         context.addStep(new OperationStepHandler() {
             @Override
             public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/security/WhoAmIOperation.java b/domain-management/src/main/java/org/jboss/as/domain/management/security/WhoAmIOperation.java
index 5ea1366929e2..a01cafb33308 100644
--- a/domain-management/src/main/java/org/jboss/as/domain/management/security/WhoAmIOperation.java
+++ b/domain-management/src/main/java/org/jboss/as/domain/management/security/WhoAmIOperation.java
@@ -25,6 +25,7 @@
 import static org.jboss.as.domain.management.DomainManagementMessages.MESSAGES;
 import static org.jboss.as.domain.management.ModelDescriptionConstants.GROUPS;
 import static org.jboss.as.domain.management.ModelDescriptionConstants.IDENTITY;
+import static org.jboss.as.domain.management.ModelDescriptionConstants.MAPPED_ROLES;
 import static org.jboss.as.domain.management.ModelDescriptionConstants.REALM;
 import static org.jboss.as.domain.management.ModelDescriptionConstants.ROLES;
 import static org.jboss.as.domain.management.ModelDescriptionConstants.USERNAME;
@@ -39,7 +40,9 @@
 import org.jboss.as.controller.SimpleAttributeDefinitionBuilder;
 import org.jboss.as.controller.SimpleOperationDefinition;
 import org.jboss.as.controller.SimpleOperationDefinitionBuilder;
+import org.jboss.as.controller.access.Authorizer;
 import org.jboss.as.controller.access.Caller;
+import org.jboss.as.controller.access.rbac.RunAsRoleMapper;
 import org.jboss.as.controller.descriptions.common.ControllerResolver;
 import org.jboss.as.domain.management.ModelDescriptionConstants;
 import org.jboss.dmr.ModelNode;
@@ -58,7 +61,6 @@
  * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
  */
 public class WhoAmIOperation implements OperationStepHandler {
-    public static final WhoAmIOperation INSTANCE = new WhoAmIOperation();
 
     private static final SimpleAttributeDefinition VERBOSE = new SimpleAttributeDefinitionBuilder(ModelDescriptionConstants.VERBOSE, ModelType.BOOLEAN)
             .setAllowNull(true)
@@ -67,10 +69,16 @@ public class WhoAmIOperation implements OperationStepHandler {
     public static final SimpleOperationDefinition DEFINITION = new SimpleOperationDefinitionBuilder(WHOAMI, ControllerResolver.getResolver("core", "management"))
             .setParameters(VERBOSE)
             .setReadOnly()
-            .setReplyType(ModelType.OBJECT)
-            .setReplyValueType(ModelType.OBJECT)
+            .setReplyType(ModelType.STRING)
+            .setReplyValueType(ModelType.STRING)
             .build();
 
+    private final Authorizer authorizer;
+
+    private WhoAmIOperation(final Authorizer authorizer) {
+        this.authorizer = authorizer;
+    }
+
     /**
      * @see org.jboss.as.controller.OperationStepHandler#execute(org.jboss.as.controller.OperationContext,
      *      org.jboss.dmr.ModelNode)
@@ -107,9 +115,21 @@ public void execute(OperationContext context, ModelNode operation) throws Operat
                     roles.add(current);
                 }
             }
+
+            Set<String> mappedRoles = authorizer == null ? null : authorizer.getCallerRoles(context.getCaller(), context.getCallEnvironment(), RunAsRoleMapper.getOperationHeaderRoles(operation));
+            if (mappedRoles != null) {
+                ModelNode roles = result.get(MAPPED_ROLES);
+                for (String current : mappedRoles) {
+                    roles.add(current);
+                }
+            }
         }
 
         context.completeStep(OperationContext.RollbackHandler.NOOP_ROLLBACK_HANDLER);
     }
 
+    public static OperationStepHandler createOperation(final Authorizer authorizer) {
+        return new WhoAmIOperation(authorizer);
+    }
+
 }
diff --git a/host-controller/src/main/java/org/jboss/as/domain/controller/operations/ApplyRemoteMasterDomainModelHandler.java b/host-controller/src/main/java/org/jboss/as/domain/controller/operations/ApplyRemoteMasterDomainModelHandler.java
index b0f1307892de..3bb372c521a5 100644
--- a/host-controller/src/main/java/org/jboss/as/domain/controller/operations/ApplyRemoteMasterDomainModelHandler.java
+++ b/host-controller/src/main/java/org/jboss/as/domain/controller/operations/ApplyRemoteMasterDomainModelHandler.java
@@ -22,13 +22,16 @@
 
 package org.jboss.as.domain.controller.operations;
 
+import static org.jboss.as.controller.ControllerMessages.MESSAGES;
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.CONTENT;
+import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.CORE_SERVICE;
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.DEPLOYMENT;
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.DOMAIN_MODEL;
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.EXTENSION;
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.GROUP;
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.HASH;
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.HOST;
+import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.MANAGEMENT;
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.MANAGEMENT_CLIENT_CONTENT;
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.OP;
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.OP_ADDR;
@@ -39,12 +42,14 @@
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.SERVER_GROUP;
 import static org.jboss.as.domain.controller.DomainControllerLogger.ROOT_LOGGER;
 
+import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
+import org.jboss.as.controller.AttributeDefinition;
 import org.jboss.as.controller.ExpressionResolver;
 import org.jboss.as.controller.OperationContext;
 import org.jboss.as.controller.OperationDefinition;
@@ -54,12 +59,20 @@
 import org.jboss.as.controller.PathElement;
 import org.jboss.as.controller.ProxyController;
 import org.jboss.as.controller.SimpleOperationDefinitionBuilder;
+import org.jboss.as.controller.access.management.WritableAuthorizerConfiguration;
 import org.jboss.as.controller.descriptions.ModelDescriptionConstants;
+import org.jboss.as.controller.operations.common.Util;
+import org.jboss.as.controller.registry.ImmutableManagementResourceRegistration;
+import org.jboss.as.controller.registry.OperationEntry;
 import org.jboss.as.controller.registry.Resource;
 import org.jboss.as.domain.controller.DomainController;
 import org.jboss.as.domain.controller.LocalHostControllerInfo;
 import org.jboss.as.domain.controller.ServerIdentity;
 import org.jboss.as.domain.controller.operations.coordination.DomainServerUtils;
+import org.jboss.as.domain.management.CoreManagementResourceDefinition;
+import org.jboss.as.domain.management.access.AccessAuthorizationDomainSlaveConfigHandler;
+import org.jboss.as.domain.management.access.AccessAuthorizationResourceDefinition;
+import org.jboss.as.domain.management.access.AccessConstraintResources;
 import org.jboss.as.host.controller.HostControllerEnvironment;
 import org.jboss.as.host.controller.ManagedServerBootCmdFactory;
 import org.jboss.as.host.controller.ManagedServerBootConfiguration;
@@ -70,6 +83,7 @@
 import org.jboss.as.repository.HostFileRepository;
 import org.jboss.as.server.operations.ServerRestartRequiredHandler;
 import org.jboss.dmr.ModelNode;
+import org.jboss.dmr.Property;
 
 /**
  * Step handler responsible for taking in a domain model and updating the local domain model to match. This happens when we connect to the domain controller,
@@ -90,6 +104,7 @@ public class ApplyRemoteMasterDomainModelHandler implements OperationStepHandler
 
     //Private method does not need resources for description
     public static final OperationDefinition DEFINITION = new SimpleOperationDefinitionBuilder(OPERATION_NAME, null)
+        .withFlag(OperationEntry.Flag.HOST_CONTROLLER_ONLY)
         .setPrivateEntry()
         .build();
 
@@ -99,19 +114,22 @@ public class ApplyRemoteMasterDomainModelHandler implements OperationStepHandler
     protected final IgnoredDomainResourceRegistry ignoredResourceRegistry;
     private final HostFileRepository fileRepository;
     private final ContentRepository contentRepository;
+    private final WritableAuthorizerConfiguration authorizerConfiguration;
 
     public ApplyRemoteMasterDomainModelHandler(final DomainController domainController,
                                                final HostControllerEnvironment hostControllerEnvironment,
                                                final HostFileRepository fileRepository,
                                                final ContentRepository contentRepository,
                                                final LocalHostControllerInfo localHostInfo,
-                                               final IgnoredDomainResourceRegistry ignoredResourceRegistry) {
+                                               final IgnoredDomainResourceRegistry ignoredResourceRegistry,
+                                               final WritableAuthorizerConfiguration authorizerConfiguration) {
         this.domainController = domainController;
         this.hostControllerEnvironment = hostControllerEnvironment;
         this.fileRepository = fileRepository;
         this.contentRepository = contentRepository;
         this.localHostInfo = localHostInfo;
         this.ignoredResourceRegistry = ignoredResourceRegistry;
+        this.authorizerConfiguration = authorizerConfiguration;
     }
 
     public void execute(final OperationContext context, final ModelNode operation) throws OperationFailedException {
@@ -128,7 +146,11 @@ public void execute(final OperationContext context, final ModelNode operation) t
 
         final Resource rootResource = context.readResourceForUpdate(PathAddress.EMPTY_ADDRESS);
         clearDomain(rootResource);
+        if (!context.isBooting()) {
+            authorizerConfiguration.domainReconnectReset();
+        }
 
+        List<ModelNode> addOps = new ArrayList<ModelNode>();
         for (final ModelNode resourceDescription : domainModel.asList()) {
 
             final PathAddress resourceAddress = PathAddress.pathAddress(resourceDescription.require(ReadMasterDomainModelUtil.DOMAIN_RESOURCE_ADDRESS));
@@ -137,16 +159,16 @@ public void execute(final OperationContext context, final ModelNode operation) t
                 continue;
             }
 
-            final Resource resource = getResource(resourceAddress, rootResource, context);
             if (resourceAddress.size() == 1 && resourceAddress.getElement(0).getKey().equals(EXTENSION)) {
                 // Extensions are handled in ApplyExtensionsHandler
                 continue;
             }
 
-            resource.writeModel(resourceDescription.get(ReadMasterDomainModelUtil.DOMAIN_RESOURCE_MODEL));
+            ModelNode resourceModel = resourceDescription.get(ReadMasterDomainModelUtil.DOMAIN_RESOURCE_MODEL);
+            final Resource resource = getResource(resourceAddress, rootResource, resourceModel, context, addOps);
 
             // Track deployment and management content hashes and server group deployments so we can pull over the content we need
-            if (resourceAddress.size() == 1) {
+            if (resource != null && resourceAddress.size() == 1) {
                 PathElement pe = resourceAddress.getElement(0);
                 String peKey = pe.getKey();
                 if (peKey.equals(DEPLOYMENT)) {
@@ -192,10 +214,35 @@ public void execute(final OperationContext context, final ModelNode operation) t
         }
 
         if (!context.isBooting()) {
-            //We have reconnected to the DC
-            makeAffectedServersRestartRequired(context, startRoot);
+            //We have reconnected to the DC. Add an immediate step to put out-of-sync servers in restart-required mode
+            context.addStep(new OperationStepHandler() {
+                @Override
+                public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {
+                    makeAffectedServersRestartRequired(context, startRoot);
+                    context.completeStep(OperationContext.RollbackHandler.NOOP_ROLLBACK_HANDLER);
+                }
+            }, OperationContext.Stage.MODEL, true);
+        }
+
+        // Before the above step, add steps for any ops we need to run
+        ImmutableManagementResourceRegistration registry = context.getResourceRegistration();
+        for (int i = addOps.size() - 1; i >= 0; i--) {
+            ModelNode subOperation = addOps.get(i);
+            PathAddress stepAddress = PathAddress.pathAddress(subOperation.get(OP_ADDR));
+            String stepOpName = subOperation.require(OP).asString();
+            OperationStepHandler stepHandler = registry.getOperationHandler(stepAddress, stepOpName);
+            if (stepHandler == null) {
+                ImmutableManagementResourceRegistration child = registry.getSubModel(stepAddress);
+                if (child == null) {
+                    throw new IllegalStateException(MESSAGES.noSuchResourceType(stepAddress));
+                } else {
+                    throw new IllegalStateException(MESSAGES.noHandlerForOperation(stepOpName, stepAddress));
+                }
+            }
+            context.addStep(subOperation, stepHandler, OperationContext.Stage.MODEL, true);
         }
 
+
         context.stepCompleted();
     }
 
@@ -222,35 +269,93 @@ private void clearDomain(final Resource rootResource) {
         for(Resource.ResourceEntry entry : rootResource.getChildren(ModelDescriptionConstants.SERVER_GROUP)) {
             rootResource.removeChild(entry.getPathElement());
         }
+        // Prune parts of the RBAC tree
+        Resource accessControl = rootResource.navigate(
+                PathAddress.pathAddress(CoreManagementResourceDefinition.PATH_ELEMENT, AccessAuthorizationResourceDefinition.PATH_ELEMENT));
+        accessControl.writeModel(new ModelNode());
+        for(Resource.ResourceEntry entry : accessControl.getChildren(ModelDescriptionConstants.SERVER_GROUP_SCOPED_ROLE)) {
+            rootResource.removeChild(entry.getPathElement());
+        }
+        for(Resource.ResourceEntry entry : accessControl.getChildren(ModelDescriptionConstants.HOST_SCOPED_ROLE)) {
+            rootResource.removeChild(entry.getPathElement());
+        }
+        for(Resource.ResourceEntry entry : accessControl.getChildren(ModelDescriptionConstants.ROLE_MAPPING)) {
+            rootResource.removeChild(entry.getPathElement());
+        }
     }
 
-    protected Resource getResource(PathAddress resourceAddress, Resource rootResource, OperationContext context) {
+    protected Resource getResource(PathAddress resourceAddress, Resource rootResource, ModelNode resourceModel,
+                                   OperationContext context, List<ModelNode> addOps) {
         if(resourceAddress.size() == 0) {
             return rootResource;
         }
+        boolean allowCreate = true;
+        boolean writeResourceModel = true;
+        boolean coreService = false;
+        boolean accessControl = false;
+        PathElement created = null;
         Resource temp = rootResource;
         int idx = 0;
-        for(PathElement element : resourceAddress) {
-            temp = temp.getChild(element);
-            if(temp == null) {
+        for (PathElement element : resourceAddress) {
+            temp = temp == null ? null : temp.getChild(element);
+            String type = element.getKey();
+            assert !EXTENSION.equals(type) : "extension resources should be excluded";
+            String value = element.getValue();
+            if (temp == null) {
                 if (idx == 0) {
-                    String type = element.getKey();
-                    if (type.equals(EXTENSION)) {
-                        // Extensions are handled in ApplyExtensionsHandler
-                        continue;
-                    } else if (type.equals(MANAGEMENT_CLIENT_CONTENT) && element.getValue().equals(ROLLOUT_PLANS)) {
+                    if (MANAGEMENT_CLIENT_CONTENT.equals(type) && ROLLOUT_PLANS.equals(value)) {
                         // Needs a specialized resource type
                         temp = new ManagedDMRContentTypeResource(element, ROLLOUT_PLAN, null, contentRepository);
                         context.addResource(resourceAddress, temp);
                     }
+                } else if (accessControl) {
+                    // RBAC config child resources where we need to invoke add ops
+                    // to ensure the AuthorizerConfiguration is updated
+                    allowCreate = false;
+                    if (idx == resourceAddress.size() - 1) {
+                        ModelNode addOp = Util.createAddOperation(resourceAddress);
+                        if (resourceModel.isDefined()) {
+                            for (Property property : resourceModel.asPropertyList()) {
+                                addOp.get(property.getName()).set(property.getValue());
+                            }
+                        }
+                        addOps.add(addOp);
+                    }
                 }
-                if (temp == null) {
+                if (temp == null && allowCreate) {
+                    assert created == null : "already created " + created;
                     temp = context.createResource(resourceAddress);
+                    created = element;
+                }
+            } else if (CORE_SERVICE.equals(type) && MANAGEMENT.equals(value)) {
+                coreService = true;
+            } else if (coreService && idx == 1 && element.equals(AccessAuthorizationResourceDefinition.PATH_ELEMENT)) {
+                accessControl = true;
+                if (idx == resourceAddress.size() - 1) {
+                    writeResourceModel = false;
+                    // Invoke a specialized op for high level rbac config
+                    ModelNode configureOp = Util.createEmptyOperation(AccessAuthorizationDomainSlaveConfigHandler.OPERATION_NAME, resourceAddress);
+                    for (AttributeDefinition ad : AccessAuthorizationResourceDefinition.ATTRIBUTES) {
+                        String attrName = ad.getName();
+                        if (resourceModel.hasDefined(attrName)) {
+                            configureOp.get(attrName).set(resourceModel.get(attrName));
+                        }
+                    }
+                    addOps.add(configureOp);
                 }
-                break;
+            } else if (accessControl && idx == 2
+                        && (AccessConstraintResources.APPLICATION_PATH_ELEMENT.equals(element)
+                            || AccessConstraintResources.SENSITIVITY_PATH_ELEMENT.equals(element)
+                            || AccessConstraintResources.VAULT_PATH_ELEMENT.equals(element))) {
+                // Just write the model to the resources in these trees
+                accessControl = false;
+                allowCreate = false;
             }
             idx++;
         }
+        if (writeResourceModel && temp != null) {
+            temp.writeModel(resourceModel);
+        }
         return temp;
     }
 
@@ -334,4 +439,15 @@ public ModelNode resolveExpressions(final ModelNode node) throws OperationFailed
         });
 
     }
+
+    private static class ResourceAddition {
+        private final Resource addedResource;
+        private final List<ModelNode> addOps;
+
+
+        private ResourceAddition(Resource addedResource, List<ModelNode> addOps) {
+            this.addedResource = addedResource;
+            this.addOps = addOps;
+        }
+    }
 }
diff --git a/host-controller/src/main/java/org/jboss/as/domain/controller/resources/DomainRootDefinition.java b/host-controller/src/main/java/org/jboss/as/domain/controller/resources/DomainRootDefinition.java
index afb46eec9af8..369f600297ed 100644
--- a/host-controller/src/main/java/org/jboss/as/domain/controller/resources/DomainRootDefinition.java
+++ b/host-controller/src/main/java/org/jboss/as/domain/controller/resources/DomainRootDefinition.java
@@ -270,7 +270,7 @@ public void registerOperations(ManagementResourceRegistration resourceRegistrati
             resourceRegistration.registerOperationHandler(ApplyExtensionsHandler.DEFINITION, aexh);
 
             ApplyRemoteMasterDomainModelHandler armdmh = new ApplyRemoteMasterDomainModelHandler(domainController, environment, fileRepository,
-                    contentRepo, hostControllerInfo, ignoredDomainResourceRegistry);
+                    contentRepo, hostControllerInfo, ignoredDomainResourceRegistry, authorizer.getWritableAuthorizerConfiguration());
             resourceRegistration.registerOperationHandler(ApplyRemoteMasterDomainModelHandler.DEFINITION, armdmh);
             ApplyMissingDomainModelResourcesHandler amdmrh = new ApplyMissingDomainModelResourcesHandler(domainController, environment, hostControllerInfo, ignoredDomainResourceRegistry);
             resourceRegistration.registerOperationHandler(ApplyMissingDomainModelResourcesHandler.DEFINITION, amdmrh);
diff --git a/host-controller/src/main/java/org/jboss/as/domain/controller/transformers/ManagementTransformers.java b/host-controller/src/main/java/org/jboss/as/domain/controller/transformers/ManagementTransformers.java
index 1c65ac7bae77..6062f34d4a6e 100644
--- a/host-controller/src/main/java/org/jboss/as/domain/controller/transformers/ManagementTransformers.java
+++ b/host-controller/src/main/java/org/jboss/as/domain/controller/transformers/ManagementTransformers.java
@@ -22,9 +22,7 @@
 
 package org.jboss.as.domain.controller.transformers;
 
-import org.jboss.as.controller.transform.ResourceTransformer;
 import org.jboss.as.controller.transform.TransformersSubRegistration;
-import org.jboss.as.domain.management.CoreManagementResourceDefinition;
 
 /**
  * Transformers for the domain-wide management configuration.
@@ -39,7 +37,7 @@ class ManagementTransformers {
      * @param parent the parent registration
      */
     static void registerTransformers200(TransformersSubRegistration parent) {
-        parent.registerSubResource(CoreManagementResourceDefinition.PATH_ELEMENT, ResourceTransformer.DISCARD);
+//        parent.registerSubResource(CoreManagementResourceDefinition.PATH_ELEMENT, ResourceTransformer.DISCARD);
     }
 
     private ManagementTransformers() {
diff --git a/host-controller/src/main/java/org/jboss/as/host/controller/DomainModelControllerService.java b/host-controller/src/main/java/org/jboss/as/host/controller/DomainModelControllerService.java
index 9ffab61ea8d6..1d2053135865 100644
--- a/host-controller/src/main/java/org/jboss/as/host/controller/DomainModelControllerService.java
+++ b/host-controller/src/main/java/org/jboss/as/host/controller/DomainModelControllerService.java
@@ -96,7 +96,6 @@
 import org.jboss.as.domain.controller.operations.coordination.PrepareStepHandler;
 import org.jboss.as.domain.controller.resources.DomainRootDefinition;
 import org.jboss.as.domain.management.CoreManagementResourceDefinition;
-import org.jboss.as.domain.management.access.AccessAuthorizationResourceDefinition;
 import org.jboss.as.host.controller.RemoteDomainConnectionService.RemoteFileRepository;
 import org.jboss.as.host.controller.discovery.DiscoveryOption;
 import org.jboss.as.host.controller.ignored.IgnoredDomainResourceRegistry;
@@ -415,12 +414,9 @@ public void start(StartContext context) throws StartException {
 
     @Override
     protected void initModel(Resource rootResource, ManagementResourceRegistration rootRegistration) {
-        HostModelUtil.createRootRegistry(rootRegistration, environment, ignoredRegistry, this, processType);
+        HostModelUtil.createRootRegistry(rootRegistration, environment, ignoredRegistry, this, processType, authorizer);
         VersionModelInitializer.registerRootResource(rootResource, environment != null ? environment.getProductConfig() : null);
-        // TODO wire in once we get master-slave propagation sorted
-        Resource managementResource = Resource.Factory.create(); // TODO - Can we get a Resource direct from CoreManagementResourceDefinition?
-        rootResource.registerChild(CoreManagementResourceDefinition.PATH_ELEMENT, managementResource);
-        managementResource.registerChild(AccessAuthorizationResourceDefinition.PATH_ELEMENT, AccessAuthorizationResourceDefinition.RESOURCE);
+        CoreManagementResourceDefinition.registerDomainResource(rootResource);
         this.modelNodeRegistration = rootRegistration;
     }
 
diff --git a/host-controller/src/main/java/org/jboss/as/host/controller/HostControllerLogger.java b/host-controller/src/main/java/org/jboss/as/host/controller/HostControllerLogger.java
index c24f0dd0e4fb..a9978b610eb8 100644
--- a/host-controller/src/main/java/org/jboss/as/host/controller/HostControllerLogger.java
+++ b/host-controller/src/main/java/org/jboss/as/host/controller/HostControllerLogger.java
@@ -26,6 +26,7 @@
 import org.jboss.as.controller.client.helpers.domain.ServerStatus;
 import org.jboss.as.host.controller.model.jvm.JvmType;
 import org.jboss.as.server.ServerState;
+import org.jboss.dmr.ModelNode;
 import org.jboss.logging.BasicLogger;
 import org.jboss.logging.annotations.Cause;
 import org.jboss.logging.annotations.LogMessage;
@@ -397,6 +398,7 @@ public interface HostControllerLogger extends BasicLogger {
     @Message(id=10939, value="The slave host controller \"%s\"  could not be reached in the last [%d] milliseconds. Unregistering.")
     void slaveHostControllerUnreachable(String hostName, long timeout);
 
+    // WARNING -- THESE MESSAGE NUMBERS SHOULD NOT BE IN THIS FILE, BUT NOW THEY ARE OUT IN THE WILD
     /**
      * Logs a warning message indicating that the slave host controller could not
      * connect to the remote domain controller and that another discovery option
@@ -437,4 +439,21 @@ public interface HostControllerLogger extends BasicLogger {
     @LogMessage(level = Level.ERROR)
     @Message(id=16537, value = "Could not remove S3 file. Error was: %s")
     void cannotRemoveS3File(Exception e);
+
+    // WARNING -- THE MESSAGE NUMBERS ABOVE SHOULD NOT BE IN THIS FILE, BUT NOW THEY ARE OUT IN THE WILD
+
+    // BEGIN WITH 16576
+
+    @LogMessage(level = Level.ERROR)
+    @Message(id=16576, value = "Failed to apply domain-wide configuration from master host controller")
+    void failedToApplyDomainConfig(@Cause Exception e);
+
+    @LogMessage(level = Level.ERROR)
+    @Message(id=16577, value = "Failed to apply domain-wide configuration from master host controller. " +
+            "Operation outcome: %s. Failure description %s")
+    void failedToApplyDomainConfig(String outcome, ModelNode failureDescription);
+
+
+
+    // END WITH 16599
 }
diff --git a/host-controller/src/main/java/org/jboss/as/host/controller/HostControllerMessages.java b/host-controller/src/main/java/org/jboss/as/host/controller/HostControllerMessages.java
index 7be330dd6b83..eaf9181a6caa 100644
--- a/host-controller/src/main/java/org/jboss/as/host/controller/HostControllerMessages.java
+++ b/host-controller/src/main/java/org/jboss/as/host/controller/HostControllerMessages.java
@@ -735,4 +735,7 @@ public interface HostControllerMessages {
 
     @Message(id=16540, value="There is no resource called %s")
     OperationFailedException noResourceFor(PathAddress address);
+
+
+    // END WITH 16575
 }
diff --git a/host-controller/src/main/java/org/jboss/as/host/controller/HostModelUtil.java b/host-controller/src/main/java/org/jboss/as/host/controller/HostModelUtil.java
index e32cd72227d3..020644cadb28 100644
--- a/host-controller/src/main/java/org/jboss/as/host/controller/HostModelUtil.java
+++ b/host-controller/src/main/java/org/jboss/as/host/controller/HostModelUtil.java
@@ -72,8 +72,9 @@ public static StandardResourceDescriptionResolver getResourceDescriptionResolver
 
     public static void createRootRegistry(final ManagementResourceRegistration root, final HostControllerEnvironment environment,
                                           final IgnoredDomainResourceRegistry ignoredDomainResourceRegistry,
-                                          final HostModelRegistrar hostModelRegistrar, ProcessType processType) {
-
+                                          final HostModelRegistrar hostModelRegistrar,
+                                          final ProcessType processType,
+                                          final DelegatingConfigurableAuthorizer authorizer) {
         // Add of the host itself
         final HostModelRegistrationHandler hostModelRegistratorHandler = new HostModelRegistrationHandler(environment, ignoredDomainResourceRegistry, hostModelRegistrar);
         root.registerOperationHandler(HostModelRegistrationHandler.DEFINITION, hostModelRegistratorHandler);
@@ -84,7 +85,7 @@ public static void createRootRegistry(final ManagementResourceRegistration root,
         if (root.getOperationEntry(PathAddress.EMPTY_ADDRESS, ValidateOperationHandler.DEFINITION.getName())==null){//this is hack
             root.registerOperationHandler(ValidateOperationHandler.DEFINITION, ValidateOperationHandler.INSTANCE);
         }
-        root.registerOperationHandler(WhoAmIOperation.DEFINITION, WhoAmIOperation.INSTANCE, true);
+        root.registerOperationHandler(WhoAmIOperation.DEFINITION, WhoAmIOperation.createOperation(authorizer), true);
 
         // Other root resource operations
         root.registerOperationHandler(CompositeOperationHandler.DEFINITION, CompositeOperationHandler.INSTANCE);
@@ -103,7 +104,7 @@ public static void createHostRegistry(final String hostName,
                                           final IgnoredDomainResourceRegistry ignoredRegistry,
                                           final ControlledProcessState processState,
                                           final PathManagerService pathManager,
-                                          DelegatingConfigurableAuthorizer authorizer,
+                                          final DelegatingConfigurableAuthorizer authorizer,
                                           final ManagedAuditLogger auditLogger) {
         // Add of the host itself
         ManagementResourceRegistration hostRegistration = root.registerSubModel(
diff --git a/host-controller/src/main/java/org/jboss/as/host/controller/RemoteDomainConnectionService.java b/host-controller/src/main/java/org/jboss/as/host/controller/RemoteDomainConnectionService.java
index d1788c2a151f..3000e1eb5976 100644
--- a/host-controller/src/main/java/org/jboss/as/host/controller/RemoteDomainConnectionService.java
+++ b/host-controller/src/main/java/org/jboss/as/host/controller/RemoteDomainConnectionService.java
@@ -455,10 +455,17 @@ private boolean applyRemoteDomainModel(final List<ModelNode> bootOperations) {
             // Execute the operation
             result = controller.execute(operation, OperationMessageHandler.logging, ModelController.OperationTransactionControl.COMMIT, OperationAttachments.EMPTY);
         } catch (Exception e) {
+            HostControllerLogger.DOMAIN_LOGGER.failedToApplyDomainConfig(e);
             return false;
         }
         // If it did not success, don't register it at the DC
-        return SUCCESS.equals(result.get(OUTCOME).asString());
+        String outcome = result.get(OUTCOME).asString();
+        boolean success = SUCCESS.equals(outcome);
+        if (!success) {
+            ModelNode failureDesc = result.hasDefined(FAILURE_DESCRIPTION) ? result.get(FAILURE_DESCRIPTION) : new ModelNode();
+            HostControllerLogger.DOMAIN_LOGGER.failedToApplyDomainConfig(outcome, failureDesc);
+        }
+        return success;
     }
 
     /** {@inheritDoc} */
diff --git a/host-controller/src/test/java/org/jboss/as/domain/controller/operations/AbstractOperationTestCase.java b/host-controller/src/test/java/org/jboss/as/domain/controller/operations/AbstractOperationTestCase.java
index 7578a1b1fbe7..382766a56b4f 100644
--- a/host-controller/src/test/java/org/jboss/as/domain/controller/operations/AbstractOperationTestCase.java
+++ b/host-controller/src/test/java/org/jboss/as/domain/controller/operations/AbstractOperationTestCase.java
@@ -41,6 +41,7 @@
 import static org.junit.Assert.fail;
 
 import java.io.InputStream;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.EnumSet;
 import java.util.HashMap;
@@ -52,6 +53,7 @@
 
 import org.jboss.as.controller.AttributeDefinition;
 import org.jboss.as.controller.ControlledProcessState;
+import org.jboss.as.controller.NoopOperationStepHandler;
 import org.jboss.as.controller.OperationContext;
 import org.jboss.as.controller.OperationDefinition;
 import org.jboss.as.controller.OperationStepHandler;
@@ -80,6 +82,7 @@
 import org.jboss.as.controller.registry.OperationEntry;
 import org.jboss.as.controller.registry.Resource;
 import org.jboss.as.domain.controller.LocalHostControllerInfo;
+import org.jboss.as.domain.management.CoreManagementResourceDefinition;
 import org.jboss.as.host.controller.discovery.DiscoveryOption;
 import org.jboss.dmr.ModelNode;
 import org.jboss.msc.service.ServiceController;
@@ -160,6 +163,16 @@ MockOperationContext getOperationContext(final PathAddress operationAddress) {
         return new MockOperationContext(root, false, operationAddress);
     }
 
+    static class OperationAndHandler {
+        public final ModelNode operation;
+        public final OperationStepHandler handler;
+
+        OperationAndHandler(ModelNode operation, OperationStepHandler handler) {
+            this.operation = operation;
+            this.handler = handler;
+        }
+    }
+
     class MockOperationContext implements OperationContext {
         Resource root;
         private final boolean booting;
@@ -167,23 +180,31 @@ class MockOperationContext implements OperationContext {
         private Set<PathAddress> expectedSteps = new HashSet<PathAddress>();
         private final Map<AttachmentKey<?>, Object> valueAttachments = new HashMap<AttachmentKey<?>, Object>();
         private final ModelNode result = new ModelNode();
+        private final boolean failOnUnexpected;
+        private final Map<Stage, List<OperationAndHandler>> addedSteps = new HashMap<Stage, List<OperationAndHandler>>();
 
-
-        protected MockOperationContext(final Resource root, final boolean booting, final PathAddress operationAddress) {
+        protected MockOperationContext(final Resource root, final boolean booting, final PathAddress operationAddress,
+                                       boolean failOnUnexpected) {
             this.root = root;
             this.booting = booting;
             this.operationAddress = operationAddress;
+            this.failOnUnexpected = failOnUnexpected;
+        }
+
+        protected MockOperationContext(final Resource root, final boolean booting, final PathAddress operationAddress) {
+            this(root, booting, operationAddress, true);
         }
 
         public void expectStep(final PathAddress address) {
             this.expectedSteps.add(address);
         }
 
-        public void verify() {
+        public Map<Stage, List<OperationAndHandler>> verify() {
             if (!expectedSteps.isEmpty()) {
                 System.out.println("Missing: " + expectedSteps);
                 fail("Not all the expected steps were added. " + expectedSteps);
             }
+            return addedSteps;
         }
 
         public void addStep(OperationStepHandler step, OperationContext.Stage stage) throws IllegalArgumentException {
@@ -194,7 +215,7 @@ public void addStep(OperationStepHandler step, OperationContext.Stage stage) thr
 
         @Override
         public void addStep(OperationStepHandler step, Stage stage, boolean addFirst) throws IllegalArgumentException {
-            addStep(step, stage);
+            addStep(new ModelNode().setEmptyObject(), step, stage, addFirst);
         }
 
         public void addStep(ModelNode operation, OperationStepHandler step, OperationContext.Stage stage) throws IllegalArgumentException {
@@ -202,7 +223,7 @@ public void addStep(ModelNode operation, OperationStepHandler step, OperationCon
         }
         public void addStep(ModelNode operation, OperationStepHandler step, OperationContext.Stage stage, boolean addFirst) throws IllegalArgumentException {
             final PathAddress opAddress = PathAddress.pathAddress(operation.get(OP_ADDR));
-            if (!expectedSteps.contains(opAddress)) {
+            if (!expectedSteps.contains(opAddress) && failOnUnexpected) {
                 if (opAddress.size() == 2){
                     //Ignore the add/removing running server add step done by ServerAddHandler and ServerRemoveHandler
                     if (opAddress.getElement(0).getKey().equals(HOST) && opAddress.getElement(1).getKey().equals(SERVER) &&
@@ -214,6 +235,17 @@ public void addStep(ModelNode operation, OperationStepHandler step, OperationCon
                 fail("Should not have added step for: " + opAddress);
             }
             expectedSteps.remove(opAddress);
+            List<OperationAndHandler> stageList = addedSteps.get(stage);
+            if (stageList == null) {
+                stageList = new ArrayList<OperationAndHandler>();
+                addedSteps.put(stage, stageList);
+            }
+            OperationAndHandler oah = new OperationAndHandler(operation, step);
+            if (addFirst) {
+                stageList.add(0, oah);
+            } else {
+                stageList.add(oah);
+            }
         }
 
         @Override
@@ -551,6 +583,9 @@ public Environment getCallEnvironment() {
 
     Resource createRootResource() {
         final Resource rootResource = Resource.Factory.create();
+
+        CoreManagementResourceDefinition.registerDomainResource(rootResource);
+
         final Resource host = Resource.Factory.create();
         final Resource serverOneConfig = Resource.Factory.create();
         final ModelNode serverOneModel = new ModelNode();
@@ -755,7 +790,7 @@ public boolean isRemote() {
         }
 
         public OperationStepHandler getOperationHandler(PathAddress address, String operationName) {
-            return null;
+            return NoopOperationStepHandler.WITHOUT_RESULT;
         }
 
         public DescriptionProvider getOperationDescription(PathAddress address, String operationName) {
diff --git a/host-controller/src/test/java/org/jboss/as/domain/controller/operations/ApplyRemoteMasterDomainModelHandlerTestCase.java b/host-controller/src/test/java/org/jboss/as/domain/controller/operations/ApplyRemoteMasterDomainModelHandlerTestCase.java
index 04adb24250f0..469737f79370 100644
--- a/host-controller/src/test/java/org/jboss/as/domain/controller/operations/ApplyRemoteMasterDomainModelHandlerTestCase.java
+++ b/host-controller/src/test/java/org/jboss/as/domain/controller/operations/ApplyRemoteMasterDomainModelHandlerTestCase.java
@@ -32,6 +32,7 @@
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.SERVER_GROUP;
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.SOCKET_BINDING;
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.SOCKET_BINDING_GROUP;
+import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 
 import java.io.File;
@@ -41,6 +42,7 @@
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
@@ -53,6 +55,9 @@
 import org.jboss.as.controller.ProxyController;
 import org.jboss.as.controller.RunningMode;
 import org.jboss.as.controller.RunningModeControl;
+import org.jboss.as.controller.access.Authorizer;
+import org.jboss.as.controller.access.management.WritableAuthorizerConfiguration;
+import org.jboss.as.controller.access.rbac.StandardRBACAuthorizer;
 import org.jboss.as.controller.extension.ExtensionRegistry;
 import org.jboss.as.controller.persistence.ExtensibleConfigurationPersister;
 import org.jboss.as.controller.registry.ManagementResourceRegistration;
@@ -91,7 +96,9 @@ protected void initializeExtension(String module) {
             // nothing here
         }
     };
-    private final ApplyRemoteMasterDomainModelHandler handler = new ApplyRemoteMasterDomainModelHandler(new MockDomainController(), createHostControllerEnvironment(), null, null, HOST_INFO, new IgnoredDomainResourceRegistry(HOST_INFO));
+    WritableAuthorizerConfiguration authorizerConfiguration = new WritableAuthorizerConfiguration(StandardRBACAuthorizer.AUTHORIZER_DESCRIPTION);
+    private final ApplyRemoteMasterDomainModelHandler handler = new ApplyRemoteMasterDomainModelHandler(new MockDomainController(),
+            createHostControllerEnvironment(), null, null, HOST_INFO, new IgnoredDomainResourceRegistry(HOST_INFO), authorizerConfiguration);
 
     @Test
     public void testNoChanges() throws Exception {
@@ -153,9 +160,19 @@ public void testChangesToNonExtensions() throws Exception {
         change.get(ReadMasterDomainModelUtil.DOMAIN_RESOURCE_MODEL).set(group);
         operation.get(DOMAIN_MODEL).set(getCurrentModelUpdates(root, UpdateListModifier.createForChanges(change)));
 
-        final MockOperationContext operationContext = getOperationContext(root, false);
-        operationContext.expectStep(PathAddress.pathAddress(PathElement.pathElement(HOST, "localhost"), PathElement.pathElement(SERVER, "server-one")));
+        MockOperationContext operationContext = getOperationContext(root, false);
+        operationContext.expectStep(PathAddress.EMPTY_ADDRESS);
         handler.execute(operationContext, operation);
+        Map<OperationContext.Stage, List<OperationAndHandler>> addedSteps = operationContext.verify();
+
+        assertTrue(addedSteps.containsKey(OperationContext.Stage.MODEL));
+        List<OperationAndHandler> modelSteps = addedSteps.get(OperationContext.Stage.MODEL);
+        assertEquals(2, modelSteps.size());
+        OperationAndHandler oah = modelSteps.get(1);
+
+        operationContext = getOperationContext(root, false);
+        operationContext.expectStep(PathAddress.pathAddress(PathElement.pathElement(HOST, "localhost"), PathElement.pathElement(SERVER, "server-one")));
+        oah.handler.execute(operationContext, oah.operation);
         operationContext.verify();
     }
 
@@ -209,7 +226,7 @@ private ModelNode getCurrentModelUpdates(Resource root, UpdateListModifier modif
     }
 
     private MockOperationContext getOperationContext(Resource root, boolean booting) {
-        return new MockOperationContext(root, booting, PathAddress.EMPTY_ADDRESS);
+        return new MockOperationContext(root, booting, PathAddress.EMPTY_ADDRESS, false);
     }
 
 
diff --git a/server/src/main/java/org/jboss/as/server/controller/resources/ServerRootResourceDefinition.java b/server/src/main/java/org/jboss/as/server/controller/resources/ServerRootResourceDefinition.java
index a44314c2e9e2..73140a621b49 100644
--- a/server/src/main/java/org/jboss/as/server/controller/resources/ServerRootResourceDefinition.java
+++ b/server/src/main/java/org/jboss/as/server/controller/resources/ServerRootResourceDefinition.java
@@ -267,7 +267,7 @@ public void registerOperations(ManagementResourceRegistration resourceRegistrati
         resourceRegistration.registerOperationHandler(ResolveExpressionHandler.DEFINITION, ResolveExpressionHandler.INSTANCE, false);
 
         resourceRegistration.registerOperationHandler(SpecifiedInterfaceResolveHandler.DEFINITION, SpecifiedInterfaceResolveHandler.INSTANCE);
-        resourceRegistration.registerOperationHandler(WhoAmIOperation.DEFINITION, WhoAmIOperation.INSTANCE, true);
+        resourceRegistration.registerOperationHandler(WhoAmIOperation.DEFINITION, WhoAmIOperation.createOperation(authorizer), true);
 
         //Hack to be able to access the registry for the jmx facade
         resourceRegistration.registerOperationHandler(RootResourceHack.DEFINITION, RootResourceHack.INSTANCE);
diff --git a/server/src/main/java/org/jboss/as/server/operations/HttpManagementRemoveHandler.java b/server/src/main/java/org/jboss/as/server/operations/HttpManagementRemoveHandler.java
index d0e4bd143940..042a9f999143 100644
--- a/server/src/main/java/org/jboss/as/server/operations/HttpManagementRemoveHandler.java
+++ b/server/src/main/java/org/jboss/as/server/operations/HttpManagementRemoveHandler.java
@@ -47,7 +47,7 @@ private HttpManagementRemoveHandler() {
     @Override
     protected void performRemove(OperationContext context, ModelNode operation, ModelNode model)
             throws OperationFailedException {
-        RbacSanityCheckOperation.registerOperation(context);
+        RbacSanityCheckOperation.addOperation(context);
         super.performRemove(context, operation, model);
     }
 
diff --git a/server/src/main/java/org/jboss/as/server/operations/NativeManagementRemoveHandler.java b/server/src/main/java/org/jboss/as/server/operations/NativeManagementRemoveHandler.java
index 58b135bcdce3..d668e5216c10 100644
--- a/server/src/main/java/org/jboss/as/server/operations/NativeManagementRemoveHandler.java
+++ b/server/src/main/java/org/jboss/as/server/operations/NativeManagementRemoveHandler.java
@@ -46,7 +46,7 @@ private NativeManagementRemoveHandler() {
     @Override
     protected void performRemove(OperationContext context, ModelNode operation, ModelNode model)
             throws OperationFailedException {
-        RbacSanityCheckOperation.registerOperation(context);
+        RbacSanityCheckOperation.addOperation(context);
         super.performRemove(context, operation, model);
     }
 
diff --git a/server/src/main/java/org/jboss/as/server/operations/NativeRemotingManagementRemoveHandler.java b/server/src/main/java/org/jboss/as/server/operations/NativeRemotingManagementRemoveHandler.java
index 10dfb7f14390..8fdd3d223850 100644
--- a/server/src/main/java/org/jboss/as/server/operations/NativeRemotingManagementRemoveHandler.java
+++ b/server/src/main/java/org/jboss/as/server/operations/NativeRemotingManagementRemoveHandler.java
@@ -48,7 +48,7 @@ private NativeRemotingManagementRemoveHandler() {
     @Override
     protected void performRemove(OperationContext context, ModelNode operation, ModelNode model)
             throws OperationFailedException {
-        RbacSanityCheckOperation.registerOperation(context);
+        RbacSanityCheckOperation.addOperation(context);
         super.performRemove(context, operation, model);
     }
 
diff --git a/testsuite/domain/src/test/java/org/jboss/as/test/integration/domain/suites/DomainRbacTestSuite.java b/testsuite/domain/src/test/java/org/jboss/as/test/integration/domain/suites/DomainRbacTestSuite.java
index 3522d1393596..351a3fe9c58f 100644
--- a/testsuite/domain/src/test/java/org/jboss/as/test/integration/domain/suites/DomainRbacTestSuite.java
+++ b/testsuite/domain/src/test/java/org/jboss/as/test/integration/domain/suites/DomainRbacTestSuite.java
@@ -102,11 +102,11 @@ public static DomainTestSupport createAndStartDefaultSupport(final String testNa
         try {
             // TODO enable slaves once propagation is working
             final DomainTestSupport.Configuration configuration = DomainTestSupport.Configuration.create(testName,
-                    "domain-configs/domain-standard.rbac", "host-configs/host-master.xml", null);
+                    "domain-configs/domain-standard.rbac", "host-configs/host-master.xml", "host-configs/host-slave.xml");
             String mgmtUserProperties = JBossAsManagedConfiguration.loadConfigFileFromContextClassLoader("mgmt-users/mgmt-users.properties");
             configuration.getMasterConfiguration().setMgmtUsersFile(mgmtUserProperties);
             // TODO enable slaves once propagation is working
-            //configuration.getSlaveConfiguration().setMgmtUsersFile(mgmtUserProperties);
+            configuration.getSlaveConfiguration().setMgmtUsersFile(mgmtUserProperties);
             final DomainTestSupport testSupport = DomainTestSupport.create(configuration);
             // Start!
             testSupport.start();