when you have an ear, role mappings in the individual modules may be overridden by mappings defined at the application level, and I believe that mapping in web modules will not be processed. Maybe that is also the case for an ejb jar.
Thanks for providing the domain that failed msg. Before I saw that you had resolved this. I was going to point out that you can see from the protection domain, that the proper runas identity had been set, since the domain included the "manager1" principal.
At that point I would have looked in the policy files generated for the app to see if manager1 was indeed mapped to the role, and this granted the permission. You can find the policy files for you app under:
domains/domainx/generated/policy/appname/module-name/
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=270399