The default authorizer has global roles for admin, operator, monitor, etc.

I would like to add a global role and then specify what MBeans the role is allowed
to use.

Imagine that you have a customer, who's app you are hosting, that may or may not
have application roles defined in deployment descriptors, but they want to use
the admin console to manage their own customer users and groups using the default
authenticator, and potentially for resource policy definitions as well. You only
want them to have read access to the console, with the exception of user/group
management for their own application.

So, basically, I want to give them "monitor" capability on the console as a whole,
but limited "admin" capability so that they can admin their security realm using
the console.

How would I accomplish such a thing?

Cheers,
Steve Maring