Role based permission schemes (eg. 'grant BROWSE to ${project}-users')

This is related to JRA-2814 in the sense that it is useful for large installations.

Currently for every project I create, I typically need to create one or more groups. This might be the "developers" or maybe "release managers" or other such roles.

Once I establish these roles using groups, I unfortunately have to create a separate permission scheme that map to these specific group names. This leads to a very large number of permission schemes, usually 1-to-1 with the # of projects.

Instead it would be nice to define some custom project-level attributes such as the "group that is the developers" or "group that are the administrators". Then my permission scheme could just be the scheme that says the developers could do this and the release managers could do this and the testers could do this and the internationalization team can do this.

Right now "scheme" is a bit misleading for permissions because it's not really so much a "scheme" so much as a straight-forward ACL. By allowing a project to have ad-hoc project-specific groups, my permission scheme can become a scheme in the policy sense, and the project then maps to groups which becomes the ACL. Poorly worded, but hopefully you can see where I'm going.