So, shouldn't this required privilege be documented somewhere as part of the webapp deployment process ?