It would be convenient to have one "rescue" user that has all the permissions in the system, that can login regardless of the current security realm configuration. That allows users to regain access to the system even if the user lost access, or if the backend identity system is down.

The way I think of it is that this shouldn't be a real account, but some backdoor with a different login URL.