Assuming I understand what your saying, that sounds great. So they would be similar to the current Temporal Constraints, but really just check boxes, one for Anon and another for Auth. So when a session was activated for an authed user, any roles (and therefore permissions) with the isAuthenticated=true flag would be active?
----- Original Message ----- From: "Shawn McKinney" <[email protected]> To: [email protected] Sent: Thursday, December 10, 2015 3:40:05 PM Subject: Re: All or Anonymous User Roles > On Dec 10, 2015, at 12:28 PM, Shawn McKinney <[email protected]> wrote: > > > Of course this doesn’t solve the provisioning use case we discussed earlier, > i.e. assigning one or the other role. But wait, maybe it does… could we > always assign both and then just activate one or the other? Thinking…. Here’s an idea: We create a new role validation constraint that activates/deactivates a role based on whether the session is bound. That way we assign both roles: AuthUser and AnonUser. AuthUser activates iff isAuthenticated=true. AnonUser activates iff isAuthenticated=false. You can then have permissions granted to these roles as needed. WDYT? Shawn
