> On Dec 10, 2015, at 12:28 PM, Shawn McKinney <[email protected]> wrote: > > > Of course this doesn’t solve the provisioning use case we discussed earlier, > i.e. assigning one or the other role. But wait, maybe it does… could we > always assign both and then just activate one or the other? Thinking….
Here’s an idea: We create a new role validation constraint that activates/deactivates a role based on whether the session is bound. That way we assign both roles: AuthUser and AnonUser. AuthUser activates iff isAuthenticated=true. AnonUser activates iff isAuthenticated=false. You can then have permissions granted to these roles as needed. WDYT? Shawn
