do you normally need read access to the entity? you could remove the get* methods.
I'd like to control the read-access based on a users role (and a special use case).
E.g. I have one business case, where a balance of account A should not be visible for users with role "clerk". But in another case balance should not be visible for a user with a role "employee"...
May I use @Permit on entities (anyhow it would not fulfil my needs, but it would be interesting to know)?
i haven't tried this, so it may not work :)
First note that it's generally a good idea to wrap access to the EntityManager in an Entity Access Object (EAO), a DAO for entities.
If you do that, then you could use the EAO to return a copy of the entity with whatever fields you need nulled out.
Hope that made sense.