Having played a bit with the security API I assume the answer on 1. & 2. is Yes - please correct me if I'm wrong. Regarding 3.: anonymous wrote : Why do you add "activation-group permissions" in the security-rules.drl file (the rules should be mutually exclusive because there is just one PermissionCheck in the working memory) ? Is the answer: If they don't belong to the same activation group the rules engine would evaluate the remaining rules (after it found a match) although they obviously would evaluate to false - so you put them in the same activation-group to ensure it doesn't waste its time ? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4017933#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...