THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Currently the model is completely statically defined. A type (category instance) cannot have a private hierarchy of its own managed objects. This is pertinent to the Identity discussion as currently group providers have child and grandchild categories of Group and GroupMember but these only make sense to the group provider implementations that have total knowledge of all the members of a group as a FileGroupProvider. This is not normally the case. GroupProviders primary role is provide additional identities of the user. Most GroupProviders won't have the ability to manage the whole group. We talked about changing the REST API url to be fully hierarchal so that private categories could be accommodated.
Background Info
Kerberos/Groups
A Kerberos ticket does convey authorization information but its seems this is not used much in the UNIX world. On Windows, the authorization field is used to distribute a PAC (Privilege Attribute Certificate) which includes group memberships from an Active Directory. Java GSSAPI cannot read this information. There is at least one LGPL Java project (Jaas Lounge). It seems on a non-MS platform, then the advice is to query the Directory independently after the Kerberos authentication. This might call for a LDAPGroupProvider whose role is to only query groups for an already authenticated user.
Source: http://www.kerberos.org/software/appskerberos.pdf