Hi, I'm just studying that a bean can be given another security role other than the client's Principal one by using the <security-identity><run-as /></security-identity> element in the DD.

The question is: who does define this element? I think it's not the bean's developer, as she may not know the business context in which the application will run; for the same reason I would say that is not the Application Assembler either. Shall I assume is the application deployer?

I think it's the Application Assembler who does this.

Look at this post.

There's a reference there to a study guide where you can read this:

"The Application Assembler uses the security-identity deployment descriptor element to specify whether the caller's security identity should be used for the execution of the methods of an enterprise bean or whether a specific run-as identity should be used ... Because the Application Assembler does not, in general, know the security environment of the operational environment, the run-as identity is designated by a LOGICAL role-name, which corresponds to one of the security roles defined by the Application Assembler in the deployment descriptor."
[ July 25, 2004: Message edited by: Lionel Orellana ]

Hi marco,
You can even have a look at this, very helpful. http://www.valoxo.ch/jr/DeploymentDescriptor.pdf