With Matrix based security (delegated to Servlet container), with EVERY right removed (not even read) to the Anonymous role, i am still able to remotely run restart, clear-queue using, version, ... using the hudson-cli (and probably others i didnt try). However, some actions like reload-configuration correctly fail with hudson.security.AccessDeniedException2: anonymous is missing the Administer permission).