It sounds like what you need is essrntially roles that exist within a namespace - the namespace being the group.
Seems to me that if you think about it like that, your latter option stands out clearly as the most appropriate. Ed Anuff <[email protected]> wrote: We've been migrating to Shiro and I'm wondering about the best way to implement group-specific roles in Shiro. In our system, groups are primarily organizational (think a team or club) so are distinct from roles. There are group-specific admin roles and groups can arbitrarily create their own roles that aren't shared with any other group. Would these types of roles be better implemented as permissions ("groups:admin-role:group-id") or as a role with a naming convention such as "group-id:admin". My sense is that latter is more appropriate, but didn't want to go against the grain of Shiro. Ed
