O.k., found out, that if I add a "local" role to the user, I'm able to use all beans. So if a bean looks up another bean, the second one needs the role local.
But adding the local role to all my users has the result, that everybody is allowed to do everything.
So whats wrong with my configuration? Probably can't see the easy solution.
Please give me some advice.
Edit: Read again the Security guide, and we have configured the "local" role in <run-as> to prevent users to use internal EJBs, exactly as mentioned in the guide. Don't understand why this exception is thrown at an invocation of a referenced EJB. Why is there a test of the principals, not just the role, which is set by the run-as tag?