Role names are defined for the webapp in its web.xml. These role names are then mapped to principals in the webapp's weblogic.xml. A principal is either a user or a group. The principals are defined by the server's security setup. In WLS 6.x and before, you used a "Realm". The default Realm was the File Realm, and users, groups, passwords (hashed), and Access Control Lists (ACLs) were stored in a file named fileRealm.properties (in 5.1 and before, these were in weblogic.properties). You could also plug in another Realm implementation - for example one backed by LDAP or a database. This CustomRealm would supply user and group definitions (and would be backed by a set of default users, groups and the ACLs in fileRealm). And of course there was an API to interact with the Realm (for creating users, changing passwords, adding users to groups, etc). WebLogic 7.0 has a new security implementation and supports new stuff like JAAS. There is a compatibality/migratiom mode that will use your CustomRealm and/or FileRealm. The default setup uses a WebLogic-internal store (happens to be LDAP) for users and groups (Authentication) and Role Mappings and Access Decisions (Authorization). There is an API for all this and also an SPI (Service Provider Interface) that you can use to implement a custom Authentication Provider or Authorization Provider, if you really need to. I think out of the box, there is an Authentication Provider to hook up to standard LDAP providers.