I think that the main requirement is a client security context rather then a transaction context. This is because other
EJB's and resources need to know if they can grant access to their methods or not, therefore client security context is needed. Some methods and resources may not want to run in a transaction, i.e. NotSupported, Never; therefore, transaction contexts may not always be necessary.
Basically, from my point of view: To access another EJB or resource we must always have a client security context, but not necessarily a transaction context.
Regards,
James.