in our application we will have some attributes that are calculated by traversing through the object graph. In most cases, the business logic behind the calculated field is to determine which user is responsible for the object.
On top of that, we have security constraints that are based on the responsible person, i.e. the calculated field.
Is it possible to define Access Group permissions based on the calculated attribute? I guess the answer is no, because of the same reason why it does not work for filters, that is because the calculation of the filter and security rule is perfomed on database level and not in the middleware.
The only solution that I can think of is reimplement the calculation of the attribute in the constraint of the access group, by joining the relevant tables together.
Do you have a different suggestion on how to handle our use case? In a perfect world, we would only want to implement the calculation of the transient attribute once (no matter where, it could be a query or by traversing over the object model in java, whatever…) so that we could reuse the code at different occasions.