Just came across a nice blog post on how to do authorization in SOA using the OWSM permission based authorization policy.
One big caveat is in order: SOA does not support the concept of "Application Roles". So the grant is done to the enterprise role (i.e. ldap group). If I get sometime I will post more about the differences b/w doing grants for Application Roles vs. Enterprise Roles.