To disconnect a user one has to be a "root" or a process that started the database.
Same permission is needed to shutdown. All is good.
To disable replication ( Source or Target ) no permission is needed. Any one can disable OE replication.
Does that sound right for everyone ?
OE 11.7.1 on IBM AIX 7.1
No
I'd tend to agree; elevated perms should be required.
There might also be an argument for optionally restricting access by user/group to start/stop Webspeed/Appserver/etc.
In theory you could change the perms in $DLC/bin, though that change would need to be reapplied on every reinstall and possibly on patch/hotfix.