If the user uses a stock STS and attempts to create a "diagnostics" instance via the New Server Wizard, then a dialog will come up that there was an error, instructing the user to look at permissions.
If you run the instance creation script from the command line, you see:
create failed. A value for the property 'diagnostics.jdbc.driverClassName' is required but was not provided. A value can be provided using --property diagnostics.jdbc.driverClassName=<value>
Now, one might say that the user should know enough to edit the configuration-prompts.properties file in $installDir/diagnostics/conf, but the error message should lead them to consider the possibility that the config file needs editing.