SetAttribute(s)Handler, InvokeHandler and CreateMBeanHandler call MBeanServer.getClassLoader() and MBeanServer.getClassLoaderFor() to set the correct classloder before invoking the 'real' methods on the MBeanServer. For WildFly's rbac implementation, these getClassLoader(For) methods are very strict only allowing superuser or administrator to call them. Since the function of these calls is internal for setAttribute(s), invoke, createMBean() the subject should be cleared, allowing them to be called in this 'internal' fashion.