Disclosure: I have about four hours of experience with drools.

This contrived rule works:

rule ReadJobTicket
 no-loop
 activation-group "permissions"
when
 check: PermissionCheck(name == "jt", action == "read", granted == false)
 JobTicket(titleName : title)
 Role(name == titleName)
then
 check.grant();
end

Permission is granted when the user has a role that matches the title in JobTicket. What I really want is permission granted when the user has a role that matches a field in the job ticket's organization. Something like:

rule ReadJobTicket
 no-loop
 activation-group "permissions"
when
 check: PermissionCheck(name == "jt", action == "read", granted == false)
 JobTicket(orgPrefix : organization.getPrefix())
 Role(name == orgPrefix)
then
 check.grant();
end

Unfortunately, this doesn't work. I'm not sure I'm referencing the prefix field in the jobTicket's organization properly. Can someone give me a clue? JobTicket has a method getOrganization(); Organization has a method getPrefix().

Next, I wanted to try inserting a long-lived fact into working memory in my app's authentication method. The seam documentation provides:

((RuleBasedIdentity) RuleBasedIdentity.instance()).getSecurityContext().insert(currentUser);

But I'm pretty sure it should read:

((RuleBasedIdentity) Identity.instance()).getSecurityContext().insert(currentUser);

But this generates a null pointer exception; it appears the security context does not exist. Any idea why?

And finally, can someone tell me what this means (from the seamspace example):

MemberBlog(member : member -> (member.getUsername().equals(principalName)))

I can't find anything in the drools documentation that describes this particular syntax.

Thanks!