That could also be very useful for the out of the box handling of the users and roles for securing the management APIs. If some of the PicketLink functionality can be exposed as domain operations the admin console would then be able to manipulate the users and their roles.