When the initial EJB bean is called - it's a EJB 3.0 webservice bean - I'm able to get the current context Subject, and from that I can get the principal sets, and from them I can get the full list of a user's roles. That's actually working. The problem occurs when I call another EJB 3.0 bean from the first bean. The second bean seems to have lost the initial security context so that I can't get the context Subject. As for the isCallerInRole this is only useful when you already know the the role. That's taken care of by the @RolesAllowed annotation so I really don't need to call isCallerInRole. What I'm trying to do is allow for dynamic role based access to specific data elements in the database, and I can only do that if I can pull the user's role list. Also, I'm concerned that if the Subject context is lost then I might not be able to call from one Application server instance to another using the same security associations. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4172329#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...