> "Project ID or Name:DomainObjectName(Building, Program) > :Operation(edit, create, workflow, etc):DomainInstanceID"
Sure, that works. > I think by adding project name / id into my wildcard, that would allow > me to authorize somebody to have, say, read access to all buildings in > a specific project. Any time I create a new project, I could then > create several roles for each project so they could be assigned to > users, i.e. ProjectX_ADMIN, ProjectX_Viewer, ProjectX_Editor, etc. > The admin would have permissions "ProectX:*:*:*" - all permissions for > project X. Consider modifying your realm so that some roles have an associated project ID or name. The original DB realm for the Grails JSecurity plugin was modelled in this way, with a relation table between users and roles that contained the project ID (or anything else you wanted). I think that would be safer in the long run than embedding the project ID in the role name. Cheers, Peter
