For WriterGroups with Security, this is already covered by the RolePermissions setting on the SecurityGroup that is used for controlling the access to the keys.
We just need to state that the roles are also applied to the internal data acquisition.

But we do not have anything for the WriterGroups without security.
We can probably state that WriterGroups without security have an Anonymous role for the internal data acquisition.

If the communication channel is not “public” e.g. if data is sent to a broker using transport security, it is necessary to configure permissions on the WriterGroup.

There was an agreement in the WG discussion to add the clarification in chapter 6.2.11 Information flow and status handling

For WriterGroups with related SecurityGroup, the permissions on the SecurityGroup are used.
For WriterGroups without related SecurityGroup, the default permission is for Anonymous
Define a standard property RolePermissions to be able to overwrite the default permission on a group without related SecurityGroup

The proposals from last discussions do not work. The access like through an internal session would have a list of Roles. The SecurityGroup, even if in the same application provides RolePermissions with is not the same.

The following properties would be part of the solution:
Table 4 – General PubSub configuration properties
Key: 0:Roles
DataType: NodeId[]
Description: Indicates the Roles the related PubSub component has when accessing elements in the Server address space.
Key: 0:RolePermissions
DataType: RolePermissionType[]
Description: Indicates the permissions required to access of configure the related PubSub component.

The description in " 6.2.11 Information flow and status handling" can refer to the '0:Roles' Property for the configured case. The question is what is the default. We may want to have a default Publisher and a default Subscriber Role list. A default without configuration could be Anonymous or Observer for Publisher and Operator for Subscriber