I use a factory to create my users. Since I took the approach to mirror windows ACL as closely as possible, I have a principal, users and groups. A principal is neither a user nor a group, it is simply an identity object, but both users and groups are principal. This lets me assign ACL privileges to either users or groups since they are specified as principals and not users or groups.
Given an id, I can't tell what the principal is until its been factoried. It wraps its type for construction based on what the claimed instanceof object is stored in the database. When it comes to security with the ACL though, it doesn't make a difference what the principal is.