Only permissions to pages and portals can be managed in the *-object.xml file. Besides, even if it were possible to place instance permissions in *-object.xml, it might not do what you want. Both the portlet-instances.xml and *-object.xml file are used to initialize information about a portlet in the database. After that, all management of the portlet is done via the information in the database. While there is an if-exists tag you can place in those files, its actual behavior is sometimes not what you expect. In your case, I could see both the old and new permissions being resident in the database after the update. My recommendation is to always set if-exists to "ignore" and once the information has been loaded into the database to use the admin portal to do all management. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4172103#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...