consolidate all security configuration in the security "subsystem"
we just need to be clear about the distinction between application level security and domain level security. lack of separation leads to the question how the access control for different roles (i.e. operator vs admin security manager) can be realized.
an operator should be able to modify the application level security but prevented from accessing the domain level security. now if evething resides with the secuirty subsystem, we would either need very fine grained access control rules or a strict separation. My gut feeling tells the later is more comprehensible.