<security-identity> tag in ejb-jar.xml can have 2 values - <use-caller-identity> or <run-as> . The tag that you use determines the role-name that is propogated when this
EJB calls a method on another EJB. If you use <use-caller-identity>, whatever be the role name of the caller who called this EJB, the same role will be propogated when this EJB calls methods on another EJB. But if you specify another role-name using the run-as tag in security-identity, then that role will be propogated in method calls made by this EJB on other EJBs. The role that is propogated will be used for authorization of the called EJB's methods. For example, if the called EJB method has a method-permission defined for this role, then this role will be allowed to call that method, else authorization will be denied