Add to the PDF spec:
"Access Control Context
"MBean Server operations on behalf of a remote client are executed in an access control context (see java.security.AccessControlContext) where checked permissions must be held both by the authenticated Subject (or delegated Subject) and by the Subject that created the connector server. Without the latter check, an entity that had permissions to create a connector server but not some other permissions might be able to obtain those other permissions by creating a connector server and sending requests to it.
"If the Subject that created the connector server has a SubjectDelegationPermission for every Principal in the authenticated (or delegated) Subject, then its permissions are not checked for MBean Server operations. This means that there are two ways to configure the permissions of the connector server creator. Either it must have all the permissions that any remote client will need for its operations; or it must have a SubjectDelegationPermission for every Principal that a remote client will authenticate or delegate."