Yes have stuck to Seam - whatever it prescribes we have gone with.

So we have the Identity seam managed component, and we also use PermissionResolver's, and the components.xml to configure it all.

The basic identity/authorization uses JAAS underneath - so you can hook it up to whatever ID service is needed. This can be taken slightly futher by specifying what users are "admin" - but to go any further, we have Guvnor specific permissions (which are not stored externally) - thats there Seam's permission framework comes in (but this is probably only relevant to a repository at this stage).