Today it is not possible to plug a custom RestrictionProvider with restrictions (or restriction-patterns for that matter) that would allow to evaluate against the effective set of principals for which permission evaluation is executed.
Reason: In contrast to AuthorizationConfiguration.getPermissionProvider()AuthorizationConfiguration.getRestrictionProvider() does not get the set of effective principals passed.
What is possible today is something like e.g.
What is not feasible today is something like
as the restriction evaluation today is agnostic of the principals for which the restrictions are being evaluated.
This improvement aims for investigating what it would take to make the set of principals available with the PermissionProvider available to the RestrictionProvider during evaluation.
cc: Tom Blackford