Currently, we have an issue security scheme that specifies a security level of "Reporter plus support." Of course, the "Users/Groups" for this level is "Reporter" plus the group of users that comprise the support folks. This has worked really well for us.
Some of our "customers" have more than one user that submits issues, and they would like to see all the issues reported by their "company."
Rather than try to manage this with separate groups (one for each customer, I would like to try this:
We need something like a "Reporter Domain" user/group and when this is specified, security checks would work similar to the "Reporter" user. But instead of comparing the id of the current signed-on user with the id of the reporter of the issue, compare the e-mail domain of the signed-on user with the "reporterdomain" custom field (that is implemented by one of the Atlassian supplied plug-ins) in the issue.
We would like to see this as both an issue security level and as a transition condition.
Clearly the execution code change is very small. The trick is going to be getting this configurable, translated, documented, etc.
A portion of this is already implemented in that we already have the "reporterdomain" field configured.
Of course, using e-mail for this introduces it's own set of requirements on registration. For example, there needs to be a flag in configuration to require e-mail verification. That is, it should not be possible for someone to register with an e-mail address of firstname.lastname@example.org and then be able to look at all issues reported by anyone at mycompany.com without at least going through mycompany's e-mail system first.