Deployed security roles

A direct mapping between the security roles specified in a bean's deployment descriptor and individual users may not adequately control access to bean methods. For example To provide the degree of control that is needed in these and other cases, you can qualify the security roles at the application level and the system level. A security role with its qualifiers is known as a deployed security role. Here is an example of a role name which is qualified at both levels:
test.payroll.team_leader

At the application level, security roles are qualified by the display name, if one is specified in the deployment descriptor. If a display name is not specified, the security roles are not qualified at the application level. If an application level qualifier is used, a period (.) is used as the delimiter; if no qualifier is used, there is no delimiter.

At the system level, security roles are optionally qualified with a prefix which is specified in the EJBROLEPRFX system initialization parameter. If EJBROLEPRFX is not specified, the security roles are not qualified at the system level. If a system level qualifier is used, a period (.) is used as the delimiter; if no qualifier is used, there is no delimiter.

This example shows how security roles defined in a bean's deployment descriptor can be qualified: When the two levels of qualification are applied to the security roles specified in the deployment descriptor, the deployed security roles are:
payroll.manager        executive.payroll.manager        test1.manager
payroll.team_leader    executive.payroll.team_leader    test1.team_leader
payroll.data_entry     executive.payroll.data_entry     test1.data_entry
Each of these deployed roles can be mapped to individual users (or groups of users) to suit the security need of the enterprise.
If a security role is not qualified at the application level, or at the system level, then the deployed security role is the same as the security role defined in the deployment descriptor. For example, if the bean in the previous example is used in an application which does not have a display name, and the application is used in a system that does not specify EJBROLEPRFX, then the deployed security roles are:
manager
team_leader
data_entry