Often the basic ACL features are not sufficient to represent all authorization needs (http://dev.day.com/content/ddc/blog/2009/01/theaclisdead.html ).
Wouldn't it be nice if we could define our authorization needs in an "Authorization DSL" ( in Groovy or jRuby ;-) ) which then could be applied to a node, or even better a node type? What about a mixin type: [sling:ScriptedACL] mixin + sling:aclScript protected mandatory The aclScript would be written in the Authorization DSL. Predefined variables would provide access to the current node, session, etc "Dynamic ACL" (http://confluence.sakaiproject.org/display/KERNDOC/KERN-629+Time+base+ACL) would become a subset of this feature as this could be solved alike. I agree, there are still many open points such as: - who should execute these scripts? - when should these scripts be executed? - performance implications? WDYT?
