Brian Stansberry [https://community.jboss.org/people/brian.stansberry] commented on the document "ManagementLayer RBAC" To view all comments on this document, visit: https://community.jboss.org/docs/DOC-47854#comment-11140 -------------------------------------------------- I added a requirement to secure JMX interactions that don't end up delegating into the normal ModelController layer (i.e. mbeans outside the jboss-as JMX domain.) My hope is such mbeans can simply be another type of resource, with a different kind of address (ObjectName instead of PathAddress). I think that if there is any overlap in the permission configuration between JMX and the core management model, the allowed actions for a given request become the intersection of the sets of permissions. IOW, if the JMX scheme allows access to mbean jboss-as:subsystem=security but the core management model doesn't allow access to /subsystem=security, then the request will fail. This can be accomplished by doing a permission check in the JMX layer, and then the normal core management check is done in the core layer. Another option is to not allow JMX permissions to be set up for the JMX domains that result in calls into the core management layer. --------------------------------------------------