Is it possible to implement J2EE security roles for a Gen 8.6 EJB/EJB Web Service deployed in WebSphere 9.0.5?

For deployed Gen EJBs the expected Detail Properties option "Security role to user/group mapping" is not visible/missing, so do Gen EJBs not support J2EE role-based security?


WebSphere Application Server 9.0.5 doc. page references:
Security role references in web applications
Security role to user or group mapping

To achieve requirements the ejb-jar.xml for each Server Manager within the EAR file needs to include an <assembly-descriptor> customized as:
    <assembly-descriptor>
        <security-role>
            <role-name>GenAcquisitionSecurityRole</role-name>
               </security-role>
               <method-permission>
            <role-name>GenAcquisitionSecurityRole</role-name>
            <method>
                <ejb-name>PSTEPNAME</ejb-name>
                <method-name>*</method-name>
            </method>
        </method-permission>
    </assembly-descriptor>

Gen 8.6 EJB EAR files
WebSphere Application Server 9.0.5

Support checked their example Gen EJB deployments on WebSphere 9.0.5.10 and for Detail Properties, the option "Security role to user/group mapping" is always missing.
Gen EJB EAR files have XML descriptor files (e.g. ejb-jar.xml) that do not contain security role tags to enable securing of the EJBs on the deployed Application Server (J2EE authorization). That explains why the option "Security role to user/group mapping" is not visible.

Gen Engineering confirms that there is currently no official support for adding security role information into the ejb-jar.xml descriptor file.
The only options would be:

• Modify the XML descriptor file ejb-jar.xml file within the EAR file to add the <assembly-descriptor> element after the assemble step is complete. This could be done either manually or using a post-process step that operates on the EAR file.
  
  
• Potentially the relevant Build Tool Assemble script in the directory "%Gen86%\Gen\bt\scripts" could be customized to automate the process. The main assemble script is deploy_ear.scr which customizes the ejb-jar.xml file that is initially created during the code generation step (directory model_name.ief\java\S1\META-INF) for inclusion into the EAR file.
  Gen Support did develop a basic custom solution covering this requirement for the scenario of 1 Procedure Step (PStep) per SERVER MANAGER. For details see article: Customize the content of a Gen EJB/EJB Web Service ejb-jar.xml file

If this feature is considered important for Gen to do out of the box, then the advice would be to create an Idea on the Ideas Community (Category=Gen) to request an enhancement for Gen. That Idea could then be voted on by other Gen users.