Hmm, in Seam 3 this will actually be supported out of the box as we have proper support for groups. In Seam 2, it's a bit trickier... if you want to be able to use rule-based permissions with location-based roles, the problem is that you can't override RuleBasedPermissionResolver.synchronizeContext() as it's a private method. What you may need to do, is extend RuleBasedPermissionResolver and override the hasPermission() method. You basically need to copy exactly what's there, however instead of calling synchronizeContext() you call your own method (e.g. mySynchronizeContext().
In mySynchronizeContext(), instead of inserting org.jboss.seam.security.Role instances into the stateful session, you would insert your own Role instances which contain the location information. After that, you should be able to write security rules that take the role's location into account, e.g:
package MyPermissions; dialect 'mvel' import org.jboss.seam.security.permission.PermissionCheck; import com.mycompany.security.Role; # Only let admins from head office update account details rule UpdateAccountDetails no-loop when account: AccountDetails() Role(name == "admin", location = "head_office") check: PermissionCheck(target == account, action == "update", granted == false) then check.grant(); end
Hope that helps.
Thanks Shane, that does help!