The RBAC configuration is stored in domain.xml. A slave HC unable to contact the master may not have access to domain.xml content. Need to provide config options:
1) If the host is running with cached-dc set, is using the cached data allowed?
Default should be yes, and this may not be configurable at all in WF 8 (or perhaps ever). Use of --cached-dc on the command line in general implies that the local domain.xml content is authoritative.
2) The admin-only mode without --cached-dc. Configure whether the system should:
a) contact the master to pull down domain wide config, but not actually register as a member.
b) if a) isn't enabled or fails:
i) fail boot
ii) run with any authenticated user able to act as SuperUser.
The default would be b)ii) as this is compatible with previous releases.