"spambob" wrote : | 1. the security-rules.drl requires - i.e. - a Member in the working memory: is it right that those objects are inserted into the working memory via s:hasPermission / RuleBasedIdentity.hasPermission(...) (the 3rd+ parameter) and they stay there only for one evaluation ? Yes, they only stay there for a single permission evaluation. "spambob" wrote : | 2. The PermissionCheck objects & the additional facts live in the working memory only for one evaluation - so if I have 2 permissions checks within 1 request that check for the same permission all the stuff is reevaluated a 2nd time ? That's right. "spambob" wrote : | 3. The most important one: Why do you add "activation-group permissions" in the security-rules.drl file (the rules should be mutually exclusive because there is just one PermissionCheck in the working memory) ? Strictly speaking you probably don't need this. I've just included it as a safety mechanism to ensure that only one of the rules will match (I previously had a catch-all rule to deal with role permissions, but these have been removed). View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4017938#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...