could you refer to the "How to handle dynamic authorization?" thread. i have a similar requirment, and I've requested Scott if it's actually possible to have an enhancement to add/remove certain transient roles.
But the bottomline, as I understand it, is that you cannot leverage declarative J2EE security when your roles have to be ascertained dynamically on a per-call basis. You would have to either establish the roles at login time, or go for your own custom role mechanism.
I sort of assumed straight off that the standard EJB role based declarative permission design wouldn't be able to handle this.
But given what this business problem is hardly unique, I was wondering whether there was a library/module out there that would tackle this??!!??
Absolutely my thoughts. Most businesses, as I'm aware of have the needs to evaluate roles based on the relation of the person/system to the entity being acted upon. We have numerous such cases:
1) Manager updating his/her direct report's data
2) Group owner updating their group's settings/adding members to their groups et al.
Unfortunately, looks like we all have to reinvent the wheel, I guess?!