The configuration you are currently working on is how the client side process will authenticate as it connect to the server, this is not the place where you specify the role a user is required to be a member of as that would be define on the server side where the authorization constraints are applied.
In this situation to avoid a plain text password in the wildfly-config.xml you would be looking at making use of a credential store to hold the password, my colleague is going to be looking at writing a small blog post that illustrates how a credential store can be used with the wildfly-config.xml for this purpose.
Thanks Darran. Ok I will be waiting for the blog post. I hope it's going to be advertised in the portal news.