This topic has not yet been written. The content below is from the topic description.
The security role name referenced by either the or element must map to one of the application's declared roles. An application assembler defines logical security roles by declaring elements. The role-name attribute value is a logical application role name, such as Administrator, Architect, or Sales_Manager. The Java EE specifications note that it is important to keep in mind that the security roles in the deployment descriptor are used to define the logical security view of an application. Roles defined in the Java EE deployment descriptors should not be confused with the user groups, users, principals, and other concepts that exist in the target enterprise's operational environment. The deployment descriptor roles are application constructs with application domain-specific names. For example, a banking application might use role names such as Bank_Manager, Teller, or Customer.