Hi, I fear the same, that sling tries to re-define and re-implement the whole JCR API stack (it already does for the most part :-(. Initially sling was a framework for building web application on top a JCR repository. But now it's a framework that happens to integrate nicely on JCR. I think the divergence to JCR started when the resource API was introduced. Although I like the idea and the elegance of the 'everything is a resource' approach, it in facts duplicates the JCR API.
Keep in mind that when you define any sort of Access Control API for sling, you eventually need to think about ACLs, Permissions, Policies, Privileges, Users, Principals, etc... All this is already specified by JCR or at least available in Jackrabbit. And as alex said: it only shields you on the resource provider level - but not on the JCR level. btw: I'm not sure how far the support for custom policies in jackrabbit is, but the basics are there. So you can (and should) implement your 9am-5pm policy definitely on the repository level. regards, toby
