In 1.6.x it's possible to edit an ACL and add additional (previously unseen) roles without restriction.
In 2.x, this is no longer possible.
It is arguable that if there is a set of possible external roles, those should be surfaced through a RoleProvider which would retrieve role information from an external system on demand, although this may introduce performance issues in the UI if there's a very large number of external roles available (in our case, possibly in excess of 50K).
One possible way forward for this would be to add a method to RoleProvider like
boolean isRoleValid(String rolename)
Provider implementations could then choose to return true for everything (any role is acceptable), validate based on a pattern (e.g. a regex), or explicitly lookup the role name.
The RoleProvider interface has a findRoles method, which allows for wildcard enabled queries. I think the provider(s) themselves should already support this, it's just a matter of wiring up the UI and its endpoints to support this.