Have you verified that the actual indexed documents has the correct role(s) in the RolesWithReadAccess field? Or is that what you meant with "I have verified these roles in both CMS and Find shells, so they should be indexed alright."

 "RolesWithReadAccess$$string": [
        "Administrators",
        "CmsAdmins",
        "CmsEditors",
        "CmsPublishers",
        "Everyone"
    ],

And also verified that the user (Principal) is indeed in one of those roles when performing the search?

Just found and fixed this issue.

It all worked fine for a logged-in user. But it turns out that the name property of an anonymous ClaimsIdentity is null when in a WebAPI and SuppressDefaultHostAuthentication is enabled. Episerver, on the other hand, expects that name to at least be an empty string. So even though the anonymous user had some of the virtual roles with read access, and should therefore be able to see the pages, Episerver would ignore those virtual roles for that filter.

Thanks for posting the solution 

It is not Episerver doing however. Aspnetidentity by default expect a cookie for logged in users, and SuppressDefaultHostAuthentication removes that cookie for Web api controllers, rendering all requests to be anonymonus

Hi Quan

Using SuppressDefaultHostAuthentication together with a sorted list of passive host authentication filters (including the cookie middleware), so requests are not always anonymous. 😉

The issue was that SuppressDefaultHostAuthentication makes an unauthenticated request fall back to an identity with null name, but falling back to FallbackPrincipal.AnonymousPrincipal works.

But actually, even if Name is null, it would be nice if FilterOnReadAccess would recognize Anonymous and Everyone roles, as long as IsAuthenticated is false.