In EAP 6 release notes, we had the following entry in the Known Issues section of the Release Notes:
Some resources are non-addressable to server-group and host scoped roles in order to provide a simplified view of the management model to improve usability. This is distinct from resources that are non-addressable to protect sensitive data.
For server-group scoped roles this means that resources in the `profile`, `socket binding group`, `deployment`, `deployment override`, `server group`, `server config` and `server` portions of the management model will not be visible if they are not related to the server-groups specified for the role.
For host-scoped roles this means that resources in the `/host=*` portion of the management model will not be visible if they are not related to the server groups specified for the role.
However in some cases this simplified view can hide information that while it is outside the scope of what the user is managing, it can provide guidance to the user as to a course of action. An example of this is http://bugzilla.redhat.com/show_bug.cgi?id=1015524[BZ# 1015524].
In a future release, some of these non-addressable resources might be changed to be addressable but non-readable. This will not affect the security of the server because they were not non-addressable for security reasons. Red Hat recommends that you do not rely on the non-addressability of resources to hide information unless the non-addressability is defined in a sensitivity constraint.
The EAP 6 BZ is https://bugzilla.redhat.com/show_bug.cgi?id=1021607
I've confirmed with Brian Stansberry that this still applies to EAP 7, so I believe we want to have it documented in EAP 7 Release Notes.