Currently the user and role store for authentication and authorization have to be chosen at ArcGIS Server site level: either Built-in, or LDAP, or Active Directory.
We actually want to lock down some services with a built-in user and role; these services are used by web applications that have their own authentication/autorization scheme.
Some other services that are used by internal users we want to lock down with Active Directory.
So we want to specify the user and role store to be used on a per-service basis.
Of course we could have two separate ArcGIS Sites for these two types of services; however we want to have only one site in order to share resources and to minimize maintenance effort.