Hi all, well part-I is really near the corner, I left as last a refresh on EJB roles. I can see (Sun Architecht certification book) that a few activities are mapped to more then one role. In particular "setting tx-attributes" seems to be delegated to :
The application assembler is responsible for the transaction attributes. Tx attributes come under the <assembly-descriptor> section which is the app assembler's area
The app assembler is also responsible for creating the logical security roles that make sense for the application. She does this using the security-role element in the DD. But the bean is going to be deployed in the deployer's company and hence the role names defined by the app assembler may not match the real groups in the company. Hence the deployer is responsible for mapping the logical security roles defined by the app assembler to the actual users and groups that exist in his company. This is done in vendor specific way outside of the EJB DD. Also the company may use its own way of storing users and groups, for example have an LDAP authentication server. Its the deployer's responsibility to assign the security domain and the principal realm to the application.
The bean provider may hard code roles in his code to implement programmatic security, he has to announce them in the DD through the security-role-ref element. The app assembler will add a role-link to it to map it to the security-role that she defines