The standard provisions for EJB security focus on minimal programmatic and declarative access-control mechanisms. Such mechanisms provide role-based access control for your EJBs. Nevertheless, a particular EJB container/server vendor must still provide a way to map such roles to principal names managed by a particular operational environment. The vendor also must provide support for authentication, identity propagation, and identity delegation. Furthermore, the vendor must provide a means for secure communications between EJB client and server, as well as a means for security auditing. Thus, the J2EE and EJB specifications offer EJB developers minimal standard security-provisioning options.