howdy, guys !!!
I have been asking exactly the same question some time ago
[EJB 2.0 Specs] Security Question. Oh-h-h, tough one Nobody answered it
But my opinion is that it is optional for Bean Provider. But Application Assembler HAS TO define <role-link> for all references.
Other option [this is solely my own opinion] could be that
EJB Container may ingnore references without links.
Would be fine to hear from some EJB GURU, or REAL EJB GIRL (Kathy, of course

)