I found the complete JBoss Rules documentation a little...overwhelming so perhaps someone here could give me a hand.
I have longish security relationships where Users are allowed to see certain Customers and Customers are allowed to see certain ProductLists etc.
The correct data is filtered in queries but I'm trying to protect myself against the case where someone has been working around the UI with url rewrites etc.
I get the picture that JBoss Rules uses in-memory objects for checking permissions, does that mean that I have to load in all possible relations and put the data somewhere? For example, the case where I save an Order belonging to a Customer but there is no direct link between the entity and the identity (i.e. if the user is allowed to handle that certain Customer in the first place).