I would look to implement the security deployer as one that: - Created a child component for the JaccPolicy on the top-level deployment - for each deployment context with security metdata that affects the JaccPolicy(and the top-level deployment may apply as in the case of standalone ejb jars, wars), either augment the JaccPolicy metadata, or create another pojo for the jacc permissions that need to link to the JaccPolicy. The first step is to define the pojos and metadata needed to introduce a jacc security policy into a standalone mc deployment, and then come back to how to integrate these into the jbossas deployments. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3992878#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...