The security roles that you add are defined in the EJB deployment descriptor. Names of security roles do not need to match exactly the names of user groups or principals defined on the server. At deployment time, the administrator assigns the roles that you define to existing user groups and principals with existing security policies and services.
For further granularity of security within a bean, you can define security role references. Then you can add programmatic security checks that cannot be defined using method permissions, using for example: isCallerInRole(String roleRefName).
To add a security role to an EJB module (using the Deployment Descriptor editor), complete the following steps: