If the user configures roles with principals in the JBoss DD (jboss.xml, jboss-web.xml and jboss-app.xml), these can affect the authorization decision. The Authorization Manager should be aware of these deployment level roles to be passed to the mapping framework (such that if there is an explicit mapping provider that takes into consideration, these deployment level roles), then the overall authorization decision can be affected.