Using Shiro we have a great security framework embedded in our enterprise application running on GF. You define users, roles, permissions and we can control at any fine-grain level if a user can access the application, a certain page or even click a specific button.

Is there a recipe or pattern, that allows on top of that, to restrict a user from seeing certain data ?

Sample: You have a customer table for 3 factories (part of one company). An admin user can see all customer records, but the user at the local factory must not see any customer data of other factories (for whatever reason).

Te security feature should be part of the role definition.

Thanks for any input and ideas