Hi Shane, I don't know what stsheak wants exactly, but I was about to ask a similar question, so I will use this topic instead of opening a new one. I've successfully implemented authentication and authorization using Seam security. It works great. I defined my roles on the database and bound many roles to one user, and many users to one role. When the user logs in, I get his roles. That's ok and works perfectly. I defined permissions using JBoss Rules. Then I annotated the methods with @Restrict, configured the exceptions on pages.xml, etc... That's ok and works perfectly. JBoss Rules is nice, but it would be better if I could get the roles permissions from the database. How can I do that and still use Seam security annotations like @Restrict to validate authorization? The problem is, when creating a new role or changing permissions, I have to edit drool's security files to explicity set the permissions, which means that every new role and permission must be done changing application code. What I want is to have an "admin" user log in the application, access a "create/edit role" action, define its permissions and bind the roles to the users (this last one I can do already). That way, I don't need to change my application code, no redeploy, and no hard-coded permissions into drool's files. The "admin" user is free to do what he wants. Thanks for any help. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4039958#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...