Grouper can limit a permission to a condition in the environment or data passed to Grouper.
A limit is an attribute of type limit assigned on the permission assignment, or assigned to the role membership, or assigned to the role, or permission definition. Note: I think we could do something by permission name by assigning to the permission definition and checking the permission name in the environment (or we would need a way to assign an attribute to an attribute name).
At runtime, Grouper, or custom logic, or the caller of the API or WS could set environment variables for the request that the request logic can use.
At first, there will not be a helpful UI, but there will be a regex were things will be possible :)
For instance, a built-in limit expression language (EL) could be:
school:etc:limits:expressionLanguage
-or- if you want to make sure the environment variables are always passed in (or would not be allowed):
school:etc:limits:expressionLanguageArgumentsRequired
When it is assigned, the value could be:
${amount <= 50000}
This would put all the environment variables in the EL
There could be helper classes to do things...
${helper.hourOfDay() >= 9 && helper.hourOfDay() <= 17}
Or
${helper.ipOnNetworks(ipAddress, '1.2.3.4/24, 2.3.4.5/26')}
In the grouper.properties you could configure other helper classes that are in scope in the expression language
In the grouper.properties you could associate custom limits with an implementation of a Java interface.
We need to work on the UI for this... so users dont have to enter in their own EL :)
sdaf