My understanding is that instance-level security info is not related to the transaction type, but rather if the method has been invoked by a client, i.e getCallerPrincipal() and isUserInRole() return you security info about the client.
Therefore the following methods can get security info about a client:
MessageDrivenBeans - no client, no security info.
Stateless SessionBeans - business methods
Stateful SessionBeans - ejbCreate, ejbPassivate, ejbActivate, ejbRemove, Business Methods
Synchronized SessionBeans - same as Stateful, with afterBegin, beforeCompletion, afterCompletion.
Entity Beans - ejbCreate, ejbPostCreate, ejbLoad, ejbStore, ejbRemove home business methods, business methods.
As these methods get invoked as a result of a client call. Don't take this list as being exhaustive as I might have missed some methods out though.
