Ever wished that there was a simple way for you to declare that each user can only access his own profile, just as easily as you can declare that only users with admin role can edit certain type of data? Well too bad since such a thing has never existed so you've just resorted to making programmatic checks and building the queries in your service to enforce data instance security. Until now of course: meet ERBAC (Entity-Relationship Based Access Control), the long lost cousin of RBAC (Role Based Access Control)!
And be assured that EntityManager.merge() would fail even if somebody manually replaced the entity id somewhere along the way? Wouldn't it be equally cool if you could just do EntityManager.find(Account.class, null) to fetch the right Account for the currently logged-in user? If securing data instances have been causing gray hair for you before and you happen to be using JPA, you should definitely checkout Tynamo's latest module, tapestry-security-jpa.