we may consider extending the jackrabbit user management API by the concept of dynamic groups that would have the following characteristics:
- the group in the repository is just a marker
- the group members are not stored with the group and are not revealed by regular membership operations such as 'getMembers', 'getDeclaredMembers', 'memberOf', 'declaredMemberOf'
- the dynamic group membership is only evaluated upon authentication (e.g. in the principal provider implementation) based on implementation details both in the principal provider and the login module.
one example to illustrate the concept of the dynamic groups is the 'Everyone' principal where every principal of the default principal management implementation is member of. for consistency, this group principal already requires special treatment in the user management implementation in case there exists an 'everyone' group (match by principal name only).