I've researched Seam's built-in Identity Management components and I've determined that they meet our app's requirements - all for one.  In addition to checking the User/Recipient, the Object, and a target, I need to also have this check validated against an organizational code.

Thus, I could have an Account:insert permission at one organization but not another.

The user's currently logged in organization is stored in the session, let's say currentOrg.

To further complicate things, each organization has a hierarchy.  An organizations may belong to one - and only one - higher-level organization.  If I have a role/permission at the higher-level organization, this role/permission trickles down to the lower-level organization(s).

Therefore, if I check for a permission like:

1. {s:hasPermission(target, 'insert')...I need the .hasPermission method to take into account this organizational hierarchy by checking the currentOrg variable and then to utilize an already existing framework for determining this organizational hierarchy - and then return a result.

So that's my problem.  I'd prefer NOT to override the entire Identity Management store.  I'd like to start small - at the permission level - and work my way up as necessary.  Where would you suggest I begin?  Or, do I not have any options here but to build a custom identity store?

Thank you for your time and assistance.