The user can configure principal to role mapping at the deployment level, for example in jboss-app.xml etc. The authorization engine should consider these for authorization decisions before proceeding towards the jaas generated roles. Preference is always given to the RunAsIdentity.

The ejb layer as well as the web layer is affected by this.