> But it is not updating the xml file in VDB.
No that is not currently supported. Only modifications to what JAAS groups are assigned to the data role through the adminapi are currently supported at runtime.
> Actual requirement is "allow users to add new roles which can be used accessing and constraining the VDB".
We do offer a mechanism to plug in a custom PolicyDecider, which can be implemented to be more flexible. See the links from a related thread: https://developer.jboss.org/message/931296?et=watches.email.thread#931296