thanks for reply but I did not understand the message, can you please explain (few more words please)...
this is example of declarative security, so I do not think coding of this method would check the role of user,
and role matters only at access of method,
@RollesAllowed(CSR), does it not mean that allow CSR to access this method, what is achived by running this method as ADMIN?
If you don't, this bean will be seen as being a CSR. If it tries to call a method from another bean which is restricted to ADMIN, it will fail. To avoid this, @RunAs can be used to tell other bean that the caller is actually using the ADMIN role. You can imagine the bean wearing a CSR cap, and putting an ADMIN cap over it.