No answer but if anyone else has similar questions here is what ended up happening in our casae.
LDAP roles did in fact enter the relational DB. I was not happy about that but it was neccessary for mapping to determine application accessibility for that prticular user. Problem here is that the 'security role' as we refer to it in our dfomain model turned into a domain object. Will likey end up being a value object. This is partly due to some appearent Hibernate limitaions with multiple joins (I am still waiting for an answer on that). Moslty though, security role becomes is an variable for determining needs of the rest of the domain.