...
Instead of an inline definition, one or more search paths can be supplied using <ExternalApplicationOverrides> elements (one path per element), and the system will look for overrides at runtime by appending the string "-override.xml" to the applicationId to attempt to read an XML file by that name in one of the supplied search paths.
The file must contain the entireĀ <ApplicationOverride> element (including appropriate namespace declaration) that would have been placed inside the main file, and theĀ id attribute in the root element must of course match the application ID it's expecting to find in that file. Beyond that, there are no additional security measures, but this can be combined with appropriate file system protections to delegate control over the override's settings to somebody without access to the main configuration.
...