One per top level deployment. You don't need a schema for the dependency as it not going to be expressed in any descriptor. Its a runtime dependency that the security deployer adds to the component that expresses the fact that the reference to the security metadata has introduced a dependency on the policy object. If a different (non-jacc) security deployer is in use because jacc is not being used, then there would be no JaccPolicy. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3992095#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...