Show TOC

 Architecture of Security RolesLocate this document in the navigation structure

Application security roles that are based on the Java EE standard and which you can use to protect resources such as URLs or EJB methods. Security roles have the following characteristics:

  • It is a logical grouping of permissions that is defined by the developer.
  • You must define security roles.
    • Define security roles as annotations to the class. This is the preferred method of the Java standard.
    • Define security roles in the deployment descriptor (XML files) of a particular application.

      The deployment descriptors for the role are included in the WAR file for Web modules or the JAR file for EJB modules.

  • The container to which the application is deployed, creates appropriate permission collections on deployment.
  • The role relates only to the application for which it was defined.


The security roles are suitable for purely static, functional access control. This concept is based on the assignment of authorizations by activity (such as the activity financial accountant), but not by instances (such as by cost centers). This means that all users to which the role Financial Accountant is assigned can post for all cost centers.

With the security roles, the developer of an application can decide whether to use these rules purely declaratively or with programmatic role references:

  • Declarative security means that the container forces access control without the developer having to program it.
  • Programmatic security means that the developer uses a method to check whether a caller of an EJB or a Web resource has a specific role. The developer can control the display of individual control elements, according to the association of roles to the current user. In this way, for example, users to which the role queried in the reference is assigned can receive a more extensive display on the same Web page than users to which this role is not assigned. There is a mapping between the security role checked in the program (such as "USER") and the actual UME role that can be assigned to users by the administrator (such as "HR_CLERK"), that is, a different role may be assigned to the one that is actually checked in the program.

Work Flow for Security Roles

The developers program their applications and specify the security role associated in each case in the XML file. The administrator of the system then assigns these roles to UME roles. For more information, see Administration of Users, Groups, and Roles .