diff --git a/operational b/operational
index 899b50974715f8518afaa305d6b757e2fe409094..65eaa040c6d39eb108fb54a14727bc916e47fef0 100644
--- a/operational
+++ b/operational
@@ -245,6 +245,31 @@ vscode should at least always indent using space for F#.
 
 * current                                                             :entry:
 ** 
+** 2019-11-23 when default .ssh dir is in %programdata%\mbackup\.ssh,
+there is a security concern.
+when admin (one user) config mbackup target and ssh-key.
+other users may not want their files to be backed up to admin configured server.
+
+In current situation, user's files will be backed up without any user confirmation.
+
+- should I use global backup with global configuration or should mbackup always
+  use per user backup config?
+
+  For system files, local-list.txt and local-exclude.txt, use global configuration.
+  only backup current users's home dir if user have accepted to do so.
+  create a GUI to let user enable mbackup for current user.
+  implementation is easy. just add a reg key or create an empty file for current user.
+
+  So, mbackup is always global. User can choose whether they want their files to be backed up.
+- is it a security issue that config file can be modified by non-admin?
+  non-admin can change target dir to a dir he/she has access to, then read other user's files?
+  mbackup process won't be able to read other user's files.
+  but when admin user login, and runs mbackup. the non-admin user will now be able to
+  read other user's files.
+
+  Security requires more thinking. Current setup is for trusted PC, such as single user PC
+  or family PC. It's not ready for multi-user PC, workstation or Windows server.
+
 ** 2019-11-23 add an icon for desktop shortcut.
 use recognizable backup icon, with some color.
 ** 2019-11-18 add dockerfile to create rsync mingw64 distribution,