I created 2 users named "admin", "mdoadmin". a group --> PPO_USERS attached admin to group PPO_USERS Then i gave jndi look up permission only to user "admin". Now if i login as "mdoadmin" programatically and do a look up on say the datasource, am able to do a lookup. Am even able to do a "rebind" , unbind etc!. This is how my fileRealm.properties looks like. group.PPO_USERS=admin acl.lookup.weblogic.jndi.path=admin user.mdoadmin=0xe4f81d278faffc5c9130fd3b4c920a69ef2aa9b5 user.admin=0x2062f71509915d790817e6417b6b27a49d54fa3f Any reasons as to why weblogic is allowing me to do that? thanks! krithika.