Oops, you're absolutely right. In seamspace it works because the role check is performed within the context of a (rule-based) permission check. I've fixed this in CVS so that RuleBasedIdentity now checks the security context for the existence of the role (as well as checking the subject), however if you can't test with the latest CVS version you could alternatively replace your s:hasRole() expression with an s:hasPermission() expression that simply checks for the existence of the required role. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4090880#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...