Thans for the thorough explanation. Am I understanding you correctly that you want to add the concept of a ‘role’ that could also be a member of a group? Is a role something that gets persisted (with foreign keys and all that to user/groups) or is it more something orthogonal to it, that gets applied when needed?
FYI: in the past, we’ve had the concept of a ‘security group’ (see https://github.com/flowable/flowable-engine/blob/master/modules/flowable-ui-idm/flowable-ui-idm-logic/src/main/java/org/flowable/ui/idm/constant/GroupTypes.java#L21), which is a group for the IDM engine, but treated differently. The current implementation however, doesn’t use that type anymore. With a security group, privileges can be attached to that group.