The BasicModel provides a tiny abstraction on top of PicketLink IDM API. It provides some basic validations and more meaningful methods to work with the basic model we provide (User, Role, Group, Grant, etc). See our docs for more details on this:
This validation in specific (that a role is granted to an user if it was granted to a group he belongs) is something that is not provided OOTB by the the BasicModel class. But you can always provide your own implementations with your own business logic.
Please note that PL is not only the BasicModel, you can always provide your own identity model (and map it to any of the available identity stores) to better fit your requirements.
1 of 1 people found this helpful
After some internal discussion around this topic, we decided to provide this validation OOTB. You can check the JIRA here:
If you have any addition consideration, please fell free to add a comment to the issue above.