Since I needed a very specifc users and rights management capabilities, that can for example handle hierarchical right definitions etc. I decided not to use the default Seam security classes. I now have the following situation. I have user and role entities that are restricted using @Restrict on the entity classes. If I now want to test whether or not a user has the required permissions to perform some action, I'll have to access the user's roles. However, the user should not need to have read access on the role objects, but of course, the permission resolver needs to be able to access them.

The solution I came up with involves disabling security checks during security checks:

     public boolean hasPermission(Object target, String action) {
          /* store old value */
          boolean securityEnabled = Identity.isSecurityEnabled();

          try{
               /* disable security */
               Identity.setSecurityEnabled(false);
               
               return performSomeFancyChecksThatMightAccessRoleEntities(target, action);
          } finally {
               /* restore security */
               Identity.setSecurityEnabled(securityEnabled);
          }
     }

I am however not too happy with this solution as it feels somewhat wrong. Do you have any ideas how to properly resolve this situation?