In certain situations, the identity of the user may need to be changed to enable a different, possibly more powerful, role. Consider the following analogy:
If you are familiar with the way most operating systems work, a user is not permitted to directly read or write to a file. Low-level access to the file is restricted. When a user needs to read or write to a file, the operating system will verify the individual's access rights to the file and then temporarily grant read/write access privileges to the user. The user assumes a higher level of privilege on a temporary basis.
This is analogous to the use of the @RunAs annotation. It allows a new role to be temporarily assigned to the methods of an EJB.
The steps ...