DeploymentRolesMappingProvider can be used for mapping roles to principals (see http://community.jboss.org/wiki/MappingRolesinJBossApplicationServerv5x). The mappings can be defined in jboss-app.xml, jboss-web.xml, jboss.xml, and are per application.
For mapping roles to groups, JBoss' official solution is RoleMappingLoginModule (see http://community.jboss.org/wiki/RoleMappingLoginModule). The mappings can be defined in RoleMappingLoginModule's property file, and are not per application. This is different from WebLogic/WebSphere/Glassfish, and causes difficulties when porting applications to JBoss. Does JBoss have any plan to improve this?