I guess
you should view it as follows:
the AdminBean is has a secured access available only to Administrator role.
the principals get checked when you call any method of AdminBean.
all beans and resource called
by the AdminBean will see only the role from <run-as>.