Confusion with "run-as" security identity

I had some questions on this:
1.When w'd i use this?
2.What role s'd be assigned to the principal that executes this method? S'd it be the same as the one we specify in the <role> element?
3.Does it mean that the bean w'd throw an exception when executed by a Principal that does not belong to this role?
The spec also says that this does not affect the identities of the caller.
Does that mean that the caller (ie Prnicipal) need not belong to the role required by run-as ?
confused :-(
thanks.

I think it's a little clearer now.
We can define method permissions on a bean which has "run-As" security identity specified.
But If i make a call from one those methods to another bean then the principal that gets propogated to the other bean is not that of the client (caller).
Page 447:
"The deployer then assigns a security principal defined in the operational environment to be used as the principal for the run-as identity"
How w'd i do this?
Say i have a security identity like this
run-As --> "Administrator"

And say i have 3 principals assigned to "Administrator"
sachin,
saurav,
rahul
They all are "Administrator"s
Which is the principal that gets used when executing the method.
I do understand that if i do a
getPrincipal() inside one of those methods it wont be one of these 3! but the principal(ie the client) that actually executed this method in the first place.
thanks again.

I guess you should view it as follows:
the AdminBean is has a secured access available only to Administrator role.
the principals get checked when you call any method of AdminBean.
all beans and resource called by the AdminBean will see only the role from <run-as>.