This week's book giveaway is in the OCMJEA forum. We're giving away four copies of OCM Java EE 6 Enterprise Architect Exam Guide and have Paul Allen & Joseph Bambara on-line! See this thread for details.
Yes, linking references to roles is the job of the Assembler.
If the Bean Provider has declared any security role references using the security-role-ref elements, the Application Assembler must link all the security role references listed in the security-role-ref elements to the security roles defined in the security-role elements.
The deployer is concerned with assigning real principals to role names.
The Deployer assigns principals and/or groups of principals (such as individual users or user groups) used for managing security in the operational environment to the security roles defined in the security-role elements of the deployment descriptor.