Hm. But you are forgetting that in addition to what you are saying the user also needs roles defined for reading from everything, which isn't really that useful. Why allow something to be created that you yourself cannot access? It should be consistently one or the other. A temp destination created by a client cannot be consumed from unless that client has a read role on everything (since the temporary destination roles aren't covered by any specific security configuration property). View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4055948#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...