Hello, Please bear with me while I try to explain my question. I don't understand the J2EE security mechanism as well as I should. Here's what I want to do. In the client application, I want to provide a user interface for invoking some methods on an EJB. Say, the client application renders an entity bean and there is a method public void reset() on the entity bean. I want to enable or disable a menu item based on whether the current user is authorized to invoke the method. From what I understand, upon deployment users are assigned to roles and roles authorized to invoke methods. Is there a way for the client application to establish whether the current user is able to invoke the method? I can get the current user from the InitialContext as (Principal)getContext().getEnvironment().get("java.naming.security.principal"). Right? Can I somehow do the equivalent of Principal.canInvoke ("SessionBean.methodName")? I'm not sure whether the question is even reasonable. However, there must be a way for the client application's UI to dynamically adjust itself based on the deployment security criteria. Or am I confused about something basic. Thanks, Vidur PS. If possible, please cc me