application security versus adminstrative security
talking to darran: it seems the secuirty subsystem is only used for application level security and clearly separated from the adminstrative secuirty. Can sombody confirm this?
Ideally it should be the location of all security configuration. I do encourage moving the configuration to the security subsystem.