> I need to have dynamic set of groups and roles for each user depending of
> the
> selected (current) object. This is similar to the real world where one
> person
> have different permissions (groups and roles) depending on that where is:
> own
> company, shop, cinema, partner company, home, etc.
[...]
> Any suggestions?
This is just my opinion, but I don't see the need for dynamic groups and
roles to take care of this. As an example, imagine you're using the same
server for the sites of 'cinema' and 'museum' and both apps divide
resource access into 'user' and 'manager' roles (which represent
permissions really, and not actual entities such as users).
In the server, I would create groups cinema-user, cinema-manager,
museum-user, and museum-manager. Thus, if you own the museum, you would
be in the museum-manager and possibly cinema-user groups (and the
museum-user group as well, depending on how you want to architect things).
Then you can simply map 'museum-manager' group to 'manager' role for the
museum app, 'cinema-manager' group to 'manager' for the cinema app,
etc., and there would be no need for dynamically switching groups. While
there may be good use cases for being able to dynamically switch things
around, I prefer simplicity when it comes to security in an application.
Cheers,
Bobby