I think it's the Application Assembler who does this.
Look at this
post.
There's a reference there to a study guide where you can read this:
"The Application Assembler uses the security-identity deployment descriptor element to specify whether the caller's security identity should be used for the execution of the methods of an enterprise bean or whether a specific run-as identity should be used ... Because the Application Assembler does not, in general, know the security environment of the operational environment, the run-as identity is designated by a LOGICAL role-name, which corresponds to one of the security roles defined by the Application Assembler in the deployment descriptor."
[ July 25, 2004: Message edited by: Lionel Orellana ]