Hello I would like to allow an external user to have access to some EJB methods. I have successfully set all the security constraints, however the only way I have found to get my client app to work is with the following entry in principals.xml <principals> <groups> <group name="RemoteAccess"> <description>RemoteAccess</description> <permission name="administration" /> </group> </groups> <users> <user username="remote" password="access"> <description>Remote Access Group</description> <group-membership group="RemoteAccess" /> </user> </users> </principals> The problem is that the line <permission name="administration" /> in the <groups> tag gives too much privilege to the remote user, for example, the remote user can shutdown the server. If I remove this line, there is a security exception thrown. I have not found a setting that will allow the user to have access to an ejb method, but not access to server commands. Does anyone know of other permission names? Thank You Doug Graesser