The reason why I said I wasn't sure if that was the answer that you were looking for, is that I am not positive that my way is correct either.
However, my thinking was, that the Server is on the server, and the person starting and running the server has to be on the server and therefore can do anything they want anyway. You can not start the server remotely, or not so in my case
But the reason why I have it on the client, is that the client could be anyone, and I would only want them to only have certain permissions.
Think about
Applets, where is the security there, on the client, so that an applet can't hurt the client. At least that's what I believe, and I have been known to be wrong, often.
Mark