SysGroup as ACL authority
The SysGroup#groupTag
field must be readonly
. This prevents renaming the authority SID and the need for additional aspects that would modify the ACL SID entry.
We shouldn't extend AclSid
in this case, but need to ensure that the entry is created with aclService.ensureAuthoritySid
on @PrePersist
and then aclService.removeAuthoritySid
on @PreRemove
. See an example of accessing Spring services in org.gringlobal.model.AuditedModel#fetchSysUser
.
Also please set SysUser#username
and WebUser#username
to readonly
.