A security identity is the security principal under which a method is called or access to a resource is requested. It is usually the principal of the component's caller, but may also be a run-as security identity in circumstances where no authorization has taken place or delegation of a security identity has taken place. Security identities in an environment are principals or groups of principals that are mapped to abstract security roles that can be authorized to have access to a method or resource. Thus, the question for determining whether authorization is granted is whether the principal or security identity is in a role allowed access.