...
Assuming a generic authorization model (user → has permission → object), maybe we don’t need groups. But we should look at other systems to see what it buys us. I think that practically, it’s difficult to grant read permissions to a group without a grouping construct (I create a new study and the system has to figure out who should be able to see it…that’s not easy with overlapping associations).
Implementation Considerations
We’re reimplementing a lot of the functionality of Spring Security’s authorization support. It might be desirable to switch over rather than further implementing a custom solution.