Users of application servers, such as J2EE servers, commonly fall into one of three abstract roles: buyer, seller, or administrator. For example, a rental car company might apply a variety of Enterprise JavaBeans (EJB) components that offer different products and services to clients. One service could be a specific component that enables a Web-based reservation process. In this case, the customer could access a Web site to reserve a rental car. The seller could access a site that provides a list of available cars and prices. Then the administrator could access a site that tracked inventory and maintenance schedules. These components provide the basic business services for the application to function and the tasks they accomplish require a security policy to enforce appropriate use of such services.
Using the deployment descriptors, the application developer can set up a method to protect the components by using abstract security role names. For example, there can be a role called Service Representative, which protects the component that creates a rental agreement. Similarly, there can be a role called Approver, which protects the component that approves the agreement. Although these roles convey the intent of the application vendor or developer to enforce such security policies, they are not useful unless these abstract role names are mapped to real life principals such as actual users or actual roles.