Yes, but no you did not start at the wrong point. You can have the authenication/authorisation (currently participant, administrator and manager) and roles/memberships at the processlevel (up to you) separated. I just assumed you would also want the users to login against the ldap server. btw, only the 3.2 branche (just in alpha) uses authentication and authorization on the container. In 3.1 it is still 'custom'. The roles/memberships do not differ much between 3.1/3.2 View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3986972#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...