Using Security Roles and Security Role
References 
To protect access to your applications, you can assign security roles (or security role references) to the applications. Users can then only access the application if they are assigned the corresponding role.
There are two main approaches for using security roles: declarative or programmable.
· Declarative
With this approach, the developer assigns a security role reference to his or her application component, for example, EMPLOYEE. When assembling the project, the assembler consolidates multiple role references to the security role that is to be used for the complete application. The administrator assigns users these roles that they need to access the applications.
· Programmable
With programmable security roles, the developer can use a method to verify that the user has a specific role at run-time. In this way, you can make a distinction at the program level, depending on the role that a user has. For example, you can provide different output to different users with different roles.
The declarative approach applies to both J2EE standard roles as well as to UME (User Management Engine) roles. However, when using the programmable approach, use UME roles and the UME APIs.
See also:
· J2EE standard roles:
· UME roles: Permissions, Actions, and UME Roles
· Administration: Users and Authorizations in the Administration Manual