We have a webapp in WLS 6.1 which invoke isUserLocked() on the
ServerSecurityRuntimeMBean. In the process of upgrading to WLS 8.1 we
noticed that this method can now only be invoked by a user having the
Admin role. We can add a directive in the DD of the webapp and we
can now successfully invoked the method but we are a little bit worry
about the security issues involved.

Can we restrict the privileges if the created user to the given mbean only
Is it possible the explicitely create a separate role (not admin) wich can
access the method (apparently the ACL check for the Admin role is
hardcoded in the weblogic.management.internal.* ) ?