Not possible to add external roles to an ACL through the admin UI
In 1.6.x it's possible to edit an ACL and add additional (previously unseen) roles without restriction.
In 2.x, this is no longer possible.
It is arguable that if there is a set of possible external roles, those should be surfaced through a RoleProvider which would retrieve role information from an external system on demand, although this may introduce performance issues in the UI if there's a very large number of external roles available (in our case, possibly in excess of 50K).
The RoleProvider interface has a findRoles method, which allows for wildcard enabled queries. I think the provider(s) themselves should already support this, it's just a matter of wiring up the UI and its endpoints to support this.