<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
<table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
<h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
<!-- To have a header image/logo replace the name below with your img tag -->
<!-- Email clients will render the images when the message is read so any image -->
<!-- must be made available on a public server, so that all recipients can load the image. -->
<a href="https://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
Access control notes
</h3>
<span style="margin-bottom: 10px;">
new comment by <a href="https://community.jboss.org/people/heiko.braun">Heiko Braun</a> <a href="https://community.jboss.org/docs/DOC-48596#comment-11953">View all comments on this document</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p><blockquote class="jive-quote"><span style="color: #555555; font-family: 'Lucida Sans', 'Lucida Sans Unicode', 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">I'm not so sure that even rights to a referent are black-and-white when it comes to rights to a referrer. Just because I can read a security domain config doesn't mean I can read the config of every resource that references it. Perhaps I should be able to see all references so I know what's affected by the resource.</span></blockquote></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>I can understand your point if view. IMO it depends on the question which use cases have precendence. I.e. think about a blank server configuration. Taken your example of a security domain and a remoting connector, you wold need to configure both ends. In this scenario I think we would agree that same rights on both ends (write access) are probably required. </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The example that you used builds on the assumption that one end is already configured. Precendence of use cases would mean that the foremost example will used to guide the design, not the later. The question is not what are the minimum security requirements, but what are permission are required at maximum. </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>With regard to this I still believe, that whenever a reference is used as part of the configuration you'd require the same permissions on both ends to enable the full set of use cases that we can think of. IMO for reference this includes creation and removal of the the refernt in all cases.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Does that make sense?</p></div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>