Hi all, I have an application where the ACEs (Access Control Entries) are applied to a node by users and by the system itself. By the user when she/he wants to share the node with some other users, by the system when the node has to be available to some users in automatic, under specific conditions. The user should not be able to modify an ACE added by the system. Right now, when I read the ACL, I can't tell what ACE has been created by the user and what has been created by the system. Reading the documentation I saw that one possible solution might be using custom restrictions <https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html> when creating the ACE, but I'm not sure this is one of the intended usage for the restrictions. Is there a better solution for this problem?
Marco.
