Hi, would it help to add "role1" to the @RolesAllowed of EJB2? If not: you could take a look at the @RunAs annotation (ejb spec 17.3.4): anonymous wrote : Establishing a run-as identity for an enterprise bean does not affect the identities of its callers, which | are the identities tested for permission to access the methods of the enterprise bean. The run-as identity | establishes the identity the enterprise bean will use when it makes calls. Thus, your bean would make all calls to ejb2 as the role specified by "@RunAs", but it's own methods would require "role1". Hope this helps Wolfgang View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4210719#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...