I have been playing with conditional roles as an replacement for ACL and we are running it in one of our projects and it works like a dream.
I have created the following code to create a common understanding:
And this is an example of the configuration:
void update(Item item);
void delete(Item item);
void create(Item item);
Every user with the role ROLE_USER is allowed to create/delete/update items as long as the condition arg0.organisation.equals(securityContext.user.orga nisation) holds.
<property name="validateConfigAttributes" value="true"/>
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
The org0 is the first argument of the methods (in all cases this is the Item you are trying to use). And you check if the organisation the item belongs to, is the same as the organisation of the logged in user (can be found in the securityContext).
Every user with the role ROLE_SOLUTION_OWNER can do everything he likes without any condition.
The user55 has the same roles as the admins? I haven`t added his constraints to the security.
If you need something less static, ACL would be a better alternative.