Brian Stansberry [https://community.jboss.org/people/brian.stansberry] commented on the document "Access control notes" To view all comments on this document, visit: https://community.jboss.org/docs/DOC-48596#comment-11965 -------------------------------------------------- Now for the second question: If we want to have a god-like role, then any "split" can be deferred from this iteration. We add the god-like role for this first iteration, and then in a later iteration we add a new role with only application level security permissions. Possibly we could add a 3rd with only administrative security permissions, if that was a valid use case. A twist on this is the "Auditor" role notion. An Auditor role is someone with read-only access to everything, but is the only person with access to the administrative audit resources. This approach ensures that a god-like administrator still has someone to watch over him/her. I don't think having an Auditor role either now or in the future precludes having an otherwise god-like Administrator role in the first iteration. --------------------------------------------------