The management model for RBAC constraints is maintained using synthetic resources, with resources only existing for those items (SensitivityClassification and ApplicationClassification) that are registered in the current process. Operations that touch classifications unknown to that process will fail due to missing resource problems.

This is a big problem in the following scenarios:

1) Mixed domain, where legacy slaves do not know about newly introduced classifications.
2) Slimming scenarios where slaves are ignoring unrelated parts of the domain wide config and also don't have some extension installed, resulting in classifications registered by those extensions not being present.

A partial workaround to 1) is for the kernel to register transformers for newly introduced classifications (e.g. SERVER_SSL added in EAP 6.4.7 and EAP 7). But:

– that doesn't help with problem 2)
– only the kernel can register kernel transformers, so if extensions add new classifications there is no way for them to register the transformer.