Thanks Shane. As it turns out, I found a simpler way to implement this, by just passing the role name to the permission check in the "name" (1st) argument of hasPermission(). However, your response did help me to understand how to use the third argument, which is pretty cool and something I will no doubt be using later. In case it helps anyone else trying to implement something simliar, here is my revised code to load the SelectItems to be used in the view: The session bean method to determine which items should be in the list: public ArrayList<SelectItem> getRoleList() { | | ArrayList<SelectItem> roleNames = new ArrayList<SelectItem>(); | | ArrayList<Role> roles = (ArrayList<Role>) entityManager.createQuery("from Role") | .getResultList(); | | for (Role r : roles) { | if ( ! r.getDisabled()) { | if (identity.hasPermission(r.getRole(), "create")) { | roleNames.add(new SelectItem(r.getRole())); | } | } | } | return roleNames; | } The drools rules that apply: rule CanAddCompanyAdmin | when | c: PermissionCheck(name == "Company Admin", action == "create") | Role(name == "Super Admin") | then | c.grant(); | end; | | | rule CanAddClientAdmin | when | c: PermissionCheck(name == "Client Admin", action == "create") | Role(name == "Company Admin") | then | c.grant(); | end; View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4026652#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...