Although a lot of you do not seem to be using security yet as no one has answered my posts, Well i have not solved it, it is a Bug. The bug is that a two or more security roles cannot have access to the same methods. for example say i have a method on Mybean called. methodA() and i have 2 defined security roles: <security-role> <description>role 1</description> <role-name>role1</role-name> </security-role> <security-role> <description>role 2</description> <role-name>role2</role-name> </security-role> then this method permission configuration is not possible in orion. <method-permission> <description>peter</description> <role-name>role1</role-name> <method> <ejb-name>ejb/MYBean</ejb-name> <method-name>methodA</method-name> </method> </method-permission> <method-permission> <description>peter</description> <role-name>role2</role-name> <method> <ejb-name>ejb/MYBean</ejb-name> <method-name>methodA</method-name> </method> </method-permission> This says that both "role1" and "role2" have access to call methodA. However if i have a user who is in "role2" (eg by putting them in an orion group that is mapped to role1) if i try to access methodA then then Orion will only check if user1 is in "role1" (eg by checking if the user is in an orion group mapped to role1). If they are not (as in this case), Orion does not check if they are in role2 (eg by checking if the user is in an orion group mapped to role2). It seem to me orion checks the first role that can access a method an uses that role. So you get a one to one relationship between methods and roles. so the relationship above is: methodA can be accessed by "role1" So a solution to this. One role per method. This means we have this. <security-role> <description>role 1</description> <role-name>role1</role-name> </security-role> <security-role> <description>role 2</description> <role-name>role2</role-name> </security-role> <method-permission> <description>peter</description> <role-name>role1</role-name> <method> <ejb-name>ejb/MYBean</ejb-name> <method-name>methodA</method-name> </method> </method-permission> <method-permission> <description>peter</description> <role-name>role2</role-name> <method> <ejb-name>ejb/MYBean</ejb-name> <method-name>methodB</method-name> </method> </method-permission> methodA accessed by role1 methodB accessed by role2 So if i want a user to access methodA and methodB then they have to be in role1 and role2, no this works fine because Orion has a one to one relationship. HOWEVER: As we know this is a bug and the relationship between methods and roles should be one to many. A method can be accessed by many roles. So in one of my requirements i have a method methodA() That needs to be access by 2 roles "super" and "editor". Now role "super" can always access the method and execute the contents. However role "editor" can always access the method but depending on an internal value then role "editor" may or may not be able to excute the contents of the method. So i need a one to many mapping between my methodA and my two roles. This is not possible at the moment. Comments...