The problem is that two DelegatingPolicy instances are being created: - one from the Ejb3PolicyConfigurationFactory - one from the deployers/jacc-service.xml On my box, its the Ejb3PolicyConfigurationFactory that runs first and sets the DelegatingPolicy.instance value. Its the deployers/jacc-service.xml instance that is installed as the java.security.Policy value, and the java.security.Policy how the EJBJACCPolicyModuleDelegate initiates security checks. All jacc permission creation access the DelegatingPolicy via the PolicyConfigurationFactory, and this uses the DelegatingPolicy.instance, so context permissions uses one DelegatingPolicy, and the EJBJACCPolicyModuleDelegate uses another. If I added a dependency to the ejb3.deployer/META-INF/ejb3-deployers-beans.xml Ejb3Deployer on the JaccPolicyProvider: | <bean name="Ejb3Deployer" class="org.jboss.ejb3.deployers.Ejb3Deployer"> | <property name="type">ejb3x</property> | ... | <depends>jboss.security:service=JaccPolicyProvider</depends> | </bean> | then the tests pass at a 90% rate on my box. The Ejb3PolicyConfigurationFactory should be a property that is injected as its in general not sufficient to use the default logic of the javax.security.jacc.PolicyConfigurationFactory to create the DelegatingPolicy. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4113083#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...