diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronDefinition.java b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronDefinition.java
index 57353e406d5..48815ca6355 100644
--- a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronDefinition.java
+++ b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronDefinition.java
@@ -256,6 +256,7 @@ public void registerChildren(ManagementResourceRegistration resourceRegistration
         resourceRegistration.registerSubModel(new CustomComponentDefinition<>(RoleMapper.class, Function.identity(), ElytronDescriptionConstants.CUSTOM_ROLE_MAPPER, ROLE_MAPPER_RUNTIME_CAPABILITY));
         resourceRegistration.registerSubModel(RoleMapperDefinitions.getLogicalRoleMapperDefinition());
         resourceRegistration.registerSubModel(RoleMapperDefinitions.getMappedRoleMapperDefinition());
+        resourceRegistration.registerSubModel(RoleMapperDefinitions.getRegexRoleMapperDefinition());
 
         // Evidence Decoders
         resourceRegistration.registerSubModel(EvidenceDecoderDefinitions.getX500SubjectEvidenceDecoderDefinition());
diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronDescriptionConstants.java b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronDescriptionConstants.java
index 8409fd002c0..2ff7348c315 100644
--- a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronDescriptionConstants.java
+++ b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronDescriptionConstants.java
@@ -430,6 +430,7 @@ interface ElytronDescriptionConstants {
     String REFERRAL_MODE = "referral-mode";
     String REGISTER_JASPI_FACTORY = "register-jaspi-factory";
     String REGEX_PRINCIPAL_TRANSFORMER = "regex-principal-transformer";
+    String REGEX_ROLE_MAPPER = "regex-role-mapper";
     String REGEX_VALIDATING_PRINCIPAL_TRANSFORMER = "regex-validating-principal-transformer";
     String RELATIVE_TO = "relative-to";
     String REMOVE_ALIAS = "remove-alias";
diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemTransformers.java b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemTransformers.java
index 5ebbf43d1db..257dc3a5fd3 100644
--- a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemTransformers.java
+++ b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemTransformers.java
@@ -111,6 +111,7 @@ public void registerTransformers(SubsystemTransformerRegistration registration)
 
     private static void from10(ChainedTransformationDescriptionBuilder chainedBuilder) {
         ResourceTransformationDescriptionBuilder builder = chainedBuilder.createBuilder(ELYTRON_10_0_0, ELYTRON_9_0_0);
+        builder.rejectChildResource(PathElement.pathElement(ElytronDescriptionConstants.REGEX_ROLE_MAPPER));
 
     }
 
diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/MapperParser.java b/elytron/src/main/java/org/wildfly/extension/elytron/MapperParser.java
index 13c80f5de97..0b5a2f6ab6e 100644
--- a/elytron/src/main/java/org/wildfly/extension/elytron/MapperParser.java
+++ b/elytron/src/main/java/org/wildfly/extension/elytron/MapperParser.java
@@ -205,6 +205,13 @@ public void marshallSingleElement(AttributeDefinition attribute, ModelNode prope
             })
             .build();
 
+    private PersistentResourceXMLDescription regexRoleMapperParser = PersistentResourceXMLDescription.builder(RoleMapperDefinitions.getRegexRoleMapperDefinition().getPathElement())
+            .addAttribute(RoleMapperDefinitions.PATTERN)
+            .addAttribute(RoleMapperDefinitions.REPLACEMENT)
+            .addAttribute(RoleMapperDefinitions.KEEP_NON_MAPPED)
+            .addAttribute(RoleMapperDefinitions.REPLACE_ALL)
+            .build();
+
     private PersistentResourceXMLDescription addPrefixRoleMapperParser = PersistentResourceXMLDescription.builder(RoleMapperDefinitions.getAddPrefixRoleMapperDefinition().getPathElement())
             .addAttribute(RoleMapperDefinitions.PREFIX)
             .build();
@@ -380,6 +387,7 @@ public PersistentResourceXMLDescription getParser() {
                 .addChild(x509SubjectAltNameEvidenceDecoder) // new
                 .addChild(getCustomComponentParser(CUSTOM_EVIDENCE_DECODER)) // new
                 .addChild(aggregateEvidenceDecoderParser) // new
+                .addChild(regexRoleMapperParser) // new
                 .build();
     }
 }
diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/RegexAttributeDefinitions.java b/elytron/src/main/java/org/wildfly/extension/elytron/RegexAttributeDefinitions.java
index d13f68f7458..6667b2b2316 100644
--- a/elytron/src/main/java/org/wildfly/extension/elytron/RegexAttributeDefinitions.java
+++ b/elytron/src/main/java/org/wildfly/extension/elytron/RegexAttributeDefinitions.java
@@ -37,7 +37,7 @@ class RegexAttributeDefinitions {
 
     static final SimpleAttributeDefinition PATTERN = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.PATTERN, ModelType.STRING, false)
             .setAllowExpression(true)
-            .setValidator(new RexExValidator())
+            .setValidator(new RegExValidator())
             .setMinSize(1)
             .setRestartAllServices()
             .build();
@@ -49,9 +49,9 @@ class RegexAttributeDefinitions {
             .setRestartAllServices()
             .build();
 
-    private static class RexExValidator extends StringLengthValidator {
+    private static class RegExValidator extends StringLengthValidator {
 
-        private RexExValidator() {
+        private RegExValidator() {
             super(1, false, false);
         }
 
@@ -70,7 +70,7 @@ public void validateParameter(String parameterName, ModelNode value) throws Oper
 
     }
 
-    private static class CaptureGroupRexExValidator extends RexExValidator {
+    private static class CaptureGroupRexExValidator extends RegExValidator {
 
         @Override
         public void validateParameter(String parameterName, ModelNode value) throws OperationFailedException {
diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/RoleMapperDefinitions.java b/elytron/src/main/java/org/wildfly/extension/elytron/RoleMapperDefinitions.java
index 9f32945c905..702c8542cdd 100644
--- a/elytron/src/main/java/org/wildfly/extension/elytron/RoleMapperDefinitions.java
+++ b/elytron/src/main/java/org/wildfly/extension/elytron/RoleMapperDefinitions.java
@@ -58,6 +58,7 @@
 import org.jboss.msc.value.InjectedValue;
 import org.wildfly.extension.elytron.TrivialService.ValueSupplier;
 import org.wildfly.security.authz.MappedRoleMapper;
+import org.wildfly.security.authz.RegexRoleMapper;
 import org.wildfly.security.authz.RoleMapper;
 import org.wildfly.security.authz.Roles;
 
@@ -80,6 +81,14 @@ class RoleMapperDefinitions {
         .setRestartAllServices()
         .build();
 
+    static final SimpleAttributeDefinition PATTERN = new SimpleAttributeDefinitionBuilder(RegexAttributeDefinitions.PATTERN).build();
+
+    static final SimpleAttributeDefinition REPLACEMENT = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.REPLACEMENT, ModelType.STRING, false)
+            .setAllowExpression(true)
+            .setMinSize(1)
+            .setRestartAllServices()
+            .build();
+
     static final SimpleAttributeDefinition LEFT = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.LEFT, ModelType.STRING, true)
         .setMinSize(1)
         .setRestartAllServices()
@@ -118,6 +127,12 @@ class RoleMapperDefinitions {
             .setRestartAllServices()
             .build();
 
+    static final SimpleAttributeDefinition REPLACE_ALL = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.REPLACE_ALL, ModelType.BOOLEAN, true)
+            .setAllowExpression(true)
+            .setDefaultValue(ModelNode.FALSE)
+            .setRestartAllServices()
+            .build();
+
     static final StringListAttributeDefinition ROLES = new StringListAttributeDefinition.Builder(ElytronDescriptionConstants.ROLES)
             .setAllowExpression(true)
             .setMinSize(1)
@@ -173,6 +188,31 @@ protected ValueSupplier<RoleMapper> getValueSupplier(OperationContext context, M
         return new RoleMapperResourceDefinition(ElytronDescriptionConstants.MAPPED_ROLE_MAPPER, add, ROLE_MAPPING_MAP, KEEP_MAPPED, KEEP_NON_MAPPED);
     }
 
+    static ResourceDefinition getRegexRoleMapperDefinition() {
+        AbstractAddStepHandler add = new RoleMapperAddHandler(PATTERN, REPLACEMENT, KEEP_NON_MAPPED, REPLACE_ALL) {
+
+            @Override
+            protected ValueSupplier<RoleMapper> getValueSupplier(OperationContext context, ModelNode model) throws OperationFailedException {
+                final String regex = PATTERN.resolveModelAttribute(context, model).asString();
+                final String replacement = REPLACEMENT.resolveModelAttribute(context, model).asString();
+                final Boolean keepNonMapped = KEEP_NON_MAPPED.resolveModelAttribute(context, model).asBoolean();
+                final Boolean replaceAll = REPLACE_ALL.resolveModelAttribute(context, model).asBoolean();
+
+                final RegexRoleMapper roleMapper = new RegexRoleMapper.Builder()
+                        .setPattern(regex)
+                        .setReplacement(replacement)
+                        .setKeepNonMapped(keepNonMapped)
+                        .setReplaceAll(replaceAll)
+                        .build();
+
+                return () -> roleMapper;
+
+            }
+        };
+
+        return new RoleMapperResourceDefinition(ElytronDescriptionConstants.REGEX_ROLE_MAPPER, add, PATTERN, REPLACEMENT, KEEP_NON_MAPPED, REPLACE_ALL);
+    }
+
     static AggregateComponentDefinition<RoleMapper> getAggregateRoleMapperDefinition() {
         return AGGREGATE_ROLE_MAPPER;
     }
diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/_private/ElytronSubsystemMessages.java b/elytron/src/main/java/org/wildfly/extension/elytron/_private/ElytronSubsystemMessages.java
index bb70f7c2cc1..01f0547abdf 100644
--- a/elytron/src/main/java/org/wildfly/extension/elytron/_private/ElytronSubsystemMessages.java
+++ b/elytron/src/main/java/org/wildfly/extension/elytron/_private/ElytronSubsystemMessages.java
@@ -578,4 +578,7 @@ public interface ElytronSubsystemMessages extends BasicLogger {
     @Message(id = 1066, value = "Invalid value for cipher-suite-names. %s")
     OperationFailedException invalidCipherSuiteNames(@Cause Throwable cause, String causeMessage);
 
+    @Message(id = 1067, value = "Value '%s' is not valid regex.")
+    OperationFailedException invalidRegex(String regex);
+
 }
diff --git a/elytron/src/main/resources/org/wildfly/extension/elytron/LocalDescriptions.properties b/elytron/src/main/resources/org/wildfly/extension/elytron/LocalDescriptions.properties
index f945efb14a0..402889be596 100644
--- a/elytron/src/main/resources/org/wildfly/extension/elytron/LocalDescriptions.properties
+++ b/elytron/src/main/resources/org/wildfly/extension/elytron/LocalDescriptions.properties
@@ -668,6 +668,16 @@ elytron.mapped-role-mapper.keep-mapped=When set to 'true' the mapped roles will
 elytron.mapped-role-mapper.keep-non-mapped=When set to 'true' the mapped roles will retain all roles, that have no defined mappings.
 elytron.mapped-role-mapper.role-map=A string to string list map for mapping roles.
 
+elytron.regex-role-mapper=A RoleMapper definition for a RoleMapper that performs a mapping based on regex and replaces matching roles with replacement pattern.
+# Operations
+elytron.regex-role-mapper.add=The add operation for the role mapper.
+elytron.regex-role-mapper.remove=The remove operation for the role mapper.
+# Attributes
+elytron.regex-role-mapper.pattern=Regex string that will be used for matching. Regex can capture groups. Role matches the pattern if given pattern can be found in any substring of given role.
+elytron.regex-role-mapper.replacement=Replacement that will be used when mapping roles that contain the pattern. Can make use of captured groups from pattern.
+elytron.regex-role-mapper.keep-non-mapped=When set to 'true' then the roles that did not match the pattern will be kept and not removed.
+elytron.regex-role-mapper.replace-all=When set to 'false', only first occurrence of the pattern will be replaced in role. When set to 'true' then all of the occurrences will be replaced by replacement.
+
 #####################
 # Realm Definitions #
 #####################
diff --git a/elytron/src/main/resources/schema/wildfly-elytron_10_0.xsd b/elytron/src/main/resources/schema/wildfly-elytron_10_0.xsd
index 2b57cf5d56f..f9282eb85b8 100644
--- a/elytron/src/main/resources/schema/wildfly-elytron_10_0.xsd
+++ b/elytron/src/main/resources/schema/wildfly-elytron_10_0.xsd
@@ -2522,6 +2522,7 @@
             <xs:element name="x509-subject-alt-name-evidence-decoder" type="x509SubjectAltNameEvidenceDecoderType" minOccurs="0" maxOccurs="unbounded" />
             <xs:element name="custom-evidence-decoder" type="customEvidenceDecoderType" minOccurs="0" maxOccurs="unbounded" />
             <xs:element name="aggregate-evidence-decoder" type="aggregateEvidenceDecoderType" minOccurs="0" maxOccurs="unbounded" />
+            <xs:element name="regex-role-mapper" type="regexRoleMapperType" minOccurs="0" maxOccurs="unbounded" />
         </xs:choice>
     </xs:complexType>
 
@@ -3542,6 +3543,47 @@
         </xs:complexContent>
     </xs:complexType>
 
+    <xs:complexType name="regexRoleMapperType">
+        <xs:annotation>
+            <xs:documentation>
+                A RoleMapper definition that uses pattern to find matching roles and then replaces these roles with replacement pattern.
+                Role matches the pattern in given pattern can be found in any substring of the role name.
+            </xs:documentation>
+        </xs:annotation>
+        <xs:complexContent>
+            <xs:extension base="roleMapperType">
+                <xs:attribute name="pattern" type="xs:string" use="required">
+                    <xs:annotation>
+                        <xs:documentation>
+                            The pattern used for matching. Can capture groups.
+                        </xs:documentation>
+                    </xs:annotation>
+                </xs:attribute>
+                <xs:attribute name="replacement" type="xs:string" use="required">
+                    <xs:annotation>
+                        <xs:documentation>
+                            The replacement string. Can make use of captured groups.
+                        </xs:documentation>
+                    </xs:annotation>
+                </xs:attribute>
+                <xs:attribute name="keep-non-mapped" type="xs:boolean" use="optional" default="false">
+                    <xs:annotation>
+                        <xs:documentation>
+                            If true, keep roles that did not match the provided pattern.
+                        </xs:documentation>
+                    </xs:annotation>
+                </xs:attribute>
+                <xs:attribute name="replace-all" type="xs:boolean" use="optional" default="false">
+                    <xs:annotation>
+                        <xs:documentation>
+                            If true, replace all occurrences of pattern and not only the first one.
+                        </xs:documentation>
+                    </xs:annotation>
+                </xs:attribute>
+            </xs:extension>
+        </xs:complexContent>
+    </xs:complexType>
+
     <xs:complexType name="roleMapperRefType">
         <xs:annotation>
             <xs:documentation>
diff --git a/elytron/src/test/java/org/wildfly/extension/elytron/RegexRoleMapperTestCase.java b/elytron/src/test/java/org/wildfly/extension/elytron/RegexRoleMapperTestCase.java
new file mode 100644
index 00000000000..d50529344e4
--- /dev/null
+++ b/elytron/src/test/java/org/wildfly/extension/elytron/RegexRoleMapperTestCase.java
@@ -0,0 +1,181 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2019 Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.wildfly.extension.elytron;
+
+import org.jboss.as.controller.client.helpers.ClientConstants;
+import org.jboss.as.subsystem.test.AbstractSubsystemBaseTest;
+import org.jboss.as.subsystem.test.KernelServices;
+import org.jboss.dmr.ModelNode;
+import org.jboss.msc.service.ServiceName;
+import org.junit.Assert;
+import org.junit.Test;
+import org.wildfly.security.auth.server.SecurityDomain;
+import org.wildfly.security.auth.server.SecurityIdentity;
+import org.wildfly.security.auth.server.ServerAuthenticationContext;
+import org.wildfly.security.authz.Roles;
+
+import java.io.IOException;
+
+import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.FAILED;
+import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.OUTCOME;
+
+public class RegexRoleMapperTestCase extends AbstractSubsystemBaseTest {
+    private KernelServices services = null;
+
+    public RegexRoleMapperTestCase() {
+        super(ElytronExtension.SUBSYSTEM_NAME, new ElytronExtension());
+    }
+
+    @Override
+    protected String getSubsystemXml() throws IOException {
+        return readResource("role-mappers-test.xml");
+    }
+
+    private void init(String... domainsToActivate) throws Exception {
+        services = super.createKernelServicesBuilder(new TestEnvironment()).setSubsystemXmlResource("role-mappers-test.xml").build();
+        if (!services.isSuccessfulBoot()) {
+            Assert.fail(services.getBootError().toString());
+        }
+        TestEnvironment.activateService(services, Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY, "TestDomain5");
+        TestEnvironment.activateService(services, Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY, "TestDomain6");
+        TestEnvironment.activateService(services, Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY, "TestDomain7");
+        TestEnvironment.activateService(services, Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY, "TestDomain8");
+    }
+
+    @Test
+    public void testRegexRoleMapper() throws Exception {
+        init("TestDomain5");
+
+        ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain5");
+        Assert.assertNotNull(services.getContainer());
+        Assert.assertNotNull(services.getContainer().getService(serviceName));
+        SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
+        Assert.assertNotNull(domain);
+
+        ServerAuthenticationContext context = domain.createNewAuthenticationContext();
+        context.setAuthenticationName("user2");
+        Assert.assertTrue(context.exists());
+        Assert.assertTrue(context.authorize());
+        context.succeed();
+        SecurityIdentity identity = context.getAuthorizedIdentity();
+
+        Roles roles = identity.getRoles();
+        Assert.assertTrue(roles.contains("application-user"));
+        Assert.assertFalse(roles.contains("123-user"));
+        Assert.assertFalse(roles.contains("joe"));
+        Assert.assertEquals("user2", identity.getPrincipal().getName());
+    }
+
+    @Test
+    public void testRegexRoleMapper2() throws Exception {
+        init("TestDomain6");
+
+        ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain6");
+        Assert.assertNotNull(services.getContainer());
+        Assert.assertNotNull(services.getContainer().getService(serviceName));
+        SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
+        Assert.assertNotNull(domain);
+
+        ServerAuthenticationContext context = domain.createNewAuthenticationContext();
+        context.setAuthenticationName("user3");
+        Assert.assertTrue(context.exists());
+        Assert.assertTrue(context.authorize());
+        context.succeed();
+        SecurityIdentity identity = context.getAuthorizedIdentity();
+
+        Roles roles = identity.getRoles();
+        Assert.assertTrue(roles.contains("admin"));
+        Assert.assertTrue(roles.contains("user"));
+        Assert.assertFalse(roles.contains("joe"));
+        Assert.assertFalse(roles.contains("application-user"));
+        Assert.assertFalse(roles.contains("123-admin-123"));
+        Assert.assertFalse(roles.contains("aa-user-aa"));
+        Assert.assertEquals("user3", identity.getPrincipal().getName());
+    }
+
+    @Test
+    public void testRegexRoleMapper3() throws Exception {
+        init("TestDomain7");
+
+        ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain7");
+        Assert.assertNotNull(services.getContainer());
+        Assert.assertNotNull(services.getContainer().getService(serviceName));
+        SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
+        Assert.assertNotNull(domain);
+
+        ServerAuthenticationContext context = domain.createNewAuthenticationContext();
+        context.setAuthenticationName("user3");
+        Assert.assertTrue(context.exists());
+        Assert.assertTrue(context.authorize());
+        context.succeed();
+        SecurityIdentity identity = context.getAuthorizedIdentity();
+
+        Roles roles = identity.getRoles();
+        Assert.assertTrue(roles.contains("admin"));
+        Assert.assertTrue(roles.contains("user"));
+        Assert.assertTrue(roles.contains("joe"));
+        Assert.assertFalse(roles.contains("application-user"));
+        Assert.assertFalse(roles.contains("123-admin-123"));
+        Assert.assertFalse(roles.contains("aa-user-aa"));
+        Assert.assertEquals("user3", identity.getPrincipal().getName());
+    }
+
+    @Test
+    public void testAddRegexRoleMapperWillFailWithInvalidRegexAttribute() throws Exception {
+        init();
+        ModelNode operation = new ModelNode();
+        operation.get(ClientConstants.OP_ADDR).add("subsystem", "elytron").add("regex-role-mapper", "my-regex-role-mapper");
+        operation.get(ClientConstants.OP).set(ClientConstants.ADD);
+        operation.get(ElytronDescriptionConstants.PATTERN).set("*-admin");
+        operation.get(ElytronDescriptionConstants.REPLACEMENT).set("$1");
+        ModelNode response = services.executeOperation(operation);
+        // operation will fail because regex is not valid (starts with asterisk)
+        if (! response.get(OUTCOME).asString().equals(FAILED)) {
+            Assert.fail(response.toJSONString(false));
+        }
+    }
+
+    @Test
+    public void testAddRegexRoleMapperReplaceAll() throws Exception {
+        init("TestDomain8");
+
+        ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain8");
+        Assert.assertNotNull(services.getContainer());
+        Assert.assertNotNull(services.getContainer().getService(serviceName));
+        SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
+        Assert.assertNotNull(domain);
+
+        ServerAuthenticationContext context = domain.createNewAuthenticationContext();
+        context.setAuthenticationName("user4");
+        Assert.assertTrue(context.exists());
+        Assert.assertTrue(context.authorize());
+        context.succeed();
+        SecurityIdentity identity = context.getAuthorizedIdentity();
+
+        Roles roles = identity.getRoles();
+        Assert.assertTrue(roles.contains("app-user"));
+        Assert.assertTrue(roles.contains("app-user-first-time-user"));
+        Assert.assertFalse(roles.contains("app-guest"));
+        Assert.assertFalse(roles.contains("app-guest-first-time-guest"));
+        Assert.assertFalse(roles.contains("app-user-first-time-guest"));
+        Assert.assertFalse(roles.contains("app-guest-first-time-user"));
+        Assert.assertFalse(roles.contains("joe"));
+        Assert.assertEquals("user4", identity.getPrincipal().getName());
+    }
+}
diff --git a/elytron/src/test/java/org/wildfly/extension/elytron/SubsystemTransformerTestCase.java b/elytron/src/test/java/org/wildfly/extension/elytron/SubsystemTransformerTestCase.java
index b12f42b208e..03adbbb303b 100644
--- a/elytron/src/test/java/org/wildfly/extension/elytron/SubsystemTransformerTestCase.java
+++ b/elytron/src/test/java/org/wildfly/extension/elytron/SubsystemTransformerTestCase.java
@@ -157,6 +157,8 @@ public void testRejectingTransformersEAP720() throws Exception {
                 .addFailedAttribute(SUBSYSTEM_ADDRESS.append(PathElement.pathElement(AGGREGATE_REALM, "AggregateTwo")), REJECTED_RESOURCE)
                 .addFailedAttribute(SUBSYSTEM_ADDRESS.append(PathElement.pathElement(ElytronDescriptionConstants.WEBSERVICES)),
                         FailedOperationTransformationConfig.REJECTED_RESOURCE)
+                .addFailedAttribute(SUBSYSTEM_ADDRESS.append(PathElement.pathElement(ElytronDescriptionConstants.REGEX_ROLE_MAPPER, "RegexRoleMapper")),
+                        FailedOperationTransformationConfig.REJECTED_RESOURCE)
                 );
     }
 
diff --git a/elytron/src/test/resources/org/wildfly/extension/elytron/compare-mappers.xml b/elytron/src/test/resources/org/wildfly/extension/elytron/compare-mappers.xml
index 0f7b0ad0ed2..dde915d54ef 100644
--- a/elytron/src/test/resources/org/wildfly/extension/elytron/compare-mappers.xml
+++ b/elytron/src/test/resources/org/wildfly/extension/elytron/compare-mappers.xml
@@ -116,6 +116,7 @@
             <evidence-decoder name="rfc822Decoder"/>
             <evidence-decoder name="subjectDecoder"/>
         </aggregate-evidence-decoder>
+        <regex-role-mapper name="RegexRoleMapper" pattern=".*-[a-z]*" replacement="$1"/>
     </mappers>
     <permission-sets>
         <permission-set name="my-permissions">
diff --git a/elytron/src/test/resources/org/wildfly/extension/elytron/elytron-transformers-4.0-reject.xml b/elytron/src/test/resources/org/wildfly/extension/elytron/elytron-transformers-4.0-reject.xml
index c8012d85015..ff265872e3f 100644
--- a/elytron/src/test/resources/org/wildfly/extension/elytron/elytron-transformers-4.0-reject.xml
+++ b/elytron/src/test/resources/org/wildfly/extension/elytron/elytron-transformers-4.0-reject.xml
@@ -86,6 +86,7 @@
             <evidence-decoder name="subjectDecoder"/>
         </aggregate-evidence-decoder>
         <regex-principal-transformer name="RegexOne" pattern="a" replacement="b" />
+        <regex-role-mapper name="RegexRoleMapper" pattern=".*-[a-z]*" replacement="$1"/>
     </mappers>
     <tls>
         <key-stores>
diff --git a/elytron/src/test/resources/org/wildfly/extension/elytron/groups.properties b/elytron/src/test/resources/org/wildfly/extension/elytron/groups.properties
index fcc6e5df3c0..98e3c7b2daa 100644
--- a/elytron/src/test/resources/org/wildfly/extension/elytron/groups.properties
+++ b/elytron/src/test/resources/org/wildfly/extension/elytron/groups.properties
@@ -1 +1,4 @@
-user1=firstGroup,secondGroup
\ No newline at end of file
+user1=firstGroup,secondGroup
+user2=joe,123-user
+user3=123-admin-123,joe,aa-user-aa
+user4=app-guest,app-guest-first-time-guest,joe
diff --git a/elytron/src/test/resources/org/wildfly/extension/elytron/mappers.xml b/elytron/src/test/resources/org/wildfly/extension/elytron/mappers.xml
index b9a642fe200..4fbb9b1186f 100644
--- a/elytron/src/test/resources/org/wildfly/extension/elytron/mappers.xml
+++ b/elytron/src/test/resources/org/wildfly/extension/elytron/mappers.xml
@@ -116,6 +116,7 @@
             <evidence-decoder name="rfc822Decoder"/>
             <evidence-decoder name="subjectDecoder"/>
         </aggregate-evidence-decoder>
+        <regex-role-mapper name="RegexRoleMapper" pattern=".*-[a-z]*" replacement="$1"/>
     </mappers>
     <permission-sets>
         <permission-set name="my-permissions">
diff --git a/elytron/src/test/resources/org/wildfly/extension/elytron/role-mappers-test.xml b/elytron/src/test/resources/org/wildfly/extension/elytron/role-mappers-test.xml
index 2941fe13fca..962af625d4f 100644
--- a/elytron/src/test/resources/org/wildfly/extension/elytron/role-mappers-test.xml
+++ b/elytron/src/test/resources/org/wildfly/extension/elytron/role-mappers-test.xml
@@ -16,6 +16,18 @@
         <security-domain name="TestDomain4" default-realm="ClearPropertyRealm" permission-mapper="ConstantPermissionMapper">
             <realm name="ClearPropertyRealm" role-mapper="KeepBothMappedRoleMapper" role-decoder="GroupsToRoles"/>
         </security-domain>
+        <security-domain name="TestDomain5" default-realm="ClearPropertyRealm" permission-mapper="ConstantPermissionMapper">
+            <realm name="ClearPropertyRealm" role-mapper="MyRegexMapper" role-decoder="GroupsToRoles"/>
+        </security-domain>
+        <security-domain name="TestDomain6" default-realm="ClearPropertyRealm" permission-mapper="ConstantPermissionMapper">
+            <realm name="ClearPropertyRealm" role-mapper="MyRegexMapper2" role-decoder="GroupsToRoles"/>
+        </security-domain>
+        <security-domain name="TestDomain7" default-realm="ClearPropertyRealm" permission-mapper="ConstantPermissionMapper">
+            <realm name="ClearPropertyRealm" role-mapper="MyRegexMapper3" role-decoder="GroupsToRoles"/>
+        </security-domain>
+        <security-domain name="TestDomain8" default-realm="ClearPropertyRealm" permission-mapper="ConstantPermissionMapper">
+            <realm name="ClearPropertyRealm" role-mapper="MyRegexMapper4" role-decoder="GroupsToRoles"/>
+        </security-domain>
     </security-domains>
     <security-realms>
         <properties-realm name="ClearPropertyRealm">
@@ -44,6 +56,10 @@
             <role-mapping from="firstGroup" to="mappedGroup"/>
             <role-mapping from="dontMap" to="notInThisGroup"/>
         </mapped-role-mapper>
+        <regex-role-mapper name="MyRegexMapper" pattern=".*-(user)" replacement="application-$1"/>
+        <regex-role-mapper name="MyRegexMapper2" pattern=".*-([a-zA-Z]*)-.*" replacement="$1" keep-non-mapped="false"/>
+        <regex-role-mapper name="MyRegexMapper3" pattern=".*-([a-zA-Z]*)-.*" replacement="$1" keep-non-mapped="true"/>
+        <regex-role-mapper name="MyRegexMapper4" pattern="guest" replacement="user" keep-non-mapped="false" replace-all="true"/>
     </mappers>
     <permission-sets>
         <permission-set name="login-permission">
diff --git a/elytron/src/test/resources/org/wildfly/extension/elytron/users-clear.properties b/elytron/src/test/resources/org/wildfly/extension/elytron/users-clear.properties
index 6291f66299b..0c269e8d564 100644
--- a/elytron/src/test/resources/org/wildfly/extension/elytron/users-clear.properties
+++ b/elytron/src/test/resources/org/wildfly/extension/elytron/users-clear.properties
@@ -2,4 +2,6 @@
 firstUser=clearPassword
 user1=password1
 user2=password2
-jsmith@example.redhat.com=clearPassword
\ No newline at end of file
+user3=password3
+user4=password4
+jsmith@example.redhat.com=clearPassword