You need to redeploy the EJB or use the app server's security framework directly and discard the braindead J2EE security model.
Well it's the latter I wish to do... Any pointers on how to do as such?
Much much appreciated.
One approach would be to install a security proxy that enforces the authorization rather than using the J2EE security interceptor for it. So in the security proxy per bean or per bean method you can lookup some internal Java objects or MBean services that keep track of the ACL and does the appropriate checks and have these MBeans or POJO's be mutable objects rather than the fixed set of roles you're forced with the XML descriptor approach.
If you in addition need to have your new roles propagated with the invocations then you need to use the SecurityAssociation class to also modify the RoleGroup principal set in the active subject to populate it with the current role information.