Howdy -- yep... the DD can be broken into three main parts (I normally describe it as TWO, but if the bean has CMR relationships, then you get three) as follows:
<ejb-jar>
<enterprise-beans>
* this is where all the bean information goes... things the Bean Provider is responsible for
</enterprise-beans>
<relationships>
* this is where you describe the CMR relationships between beans
</relationships>
<assembly-descriptor>
* this is where you describe app assembly things for method permissions, security roles, and transaction attributes.
</assembly-descriptor>
</ejb-jar>
I don't really know what I meant in that paragraph, but you've got it right -- the actual <assembly-descriptor> element is for transaction attributes, method permissions, and security roles.
cheers,
Kathy