Application security roles that are based on the Java EE standard and which you can use to protect resources such as URLs or EJB methods. Security roles have the following characteristics:
The deployment descriptors for the role are included in the WAR file for Web modules or the JAR file for EJB modules.
The security roles are suitable for purely static, functional access control. This concept is based on the assignment of authorizations by activity (such as the activity financial accountant), but not by instances (such as by cost centers). This means that all users to which the role Financial Accountant is assigned can post for all cost centers.
With the security roles, the developer of an application can decide whether to use these rules purely declaratively or with programmatic role references:
Work Flow for Security Roles
The developers program their applications and specify the security role associated in each case in the XML file. The administrator of the system then assigns these roles to UME roles. For more information, see Administration of Users, Groups, and Roles .