if your services are fixed, then would it be sufficient to define (at least) one Role to control access to each service, and to map each such role either explicitly or implicitly to a Group (principal) and then to manage access to your services by defining (or changing) the groups to which your individual users are assigned. This is generally regarded as best practice. You may have other requirements which make the above insufficient.
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=278418