It seems strange that a stateful session bean can access it's clients security info in the ejbActivate and ejbPassivate but an entity cannot.
I surpose the entity is not associated with its client at that point. But it does make things more confusing.
Just one last question: It is impossible to access a resource manager or another bean without being in a transaction? (Does this depend on the transaction attribute of the accessed resource or bean?)