My 2 cent: I would suggest to place "addRole" and "removeRole" in the session bean. The reason is that for relationships, both sides of the relation must be modified:
For example this snippet will add a new user-to-role-connection:
myUser.getRoles().add (myRole); myRole.getUsers().add (myUser);
Placing this in an entity breaks data encapsulation principles, because the entity manipulates other entitities ;-). But technically, it would work in the entity, too. It is just "dirty".
thank you for your response.
I thought that, too but were not sure.