How to implement ACL at a group level? E.g. only teachers in school A can update school A's calendar

Question

Trying to solve the following problem using Spring Security ACL: only teachers in school A can update school A's calendar.

Is it possible to implement such permission structure without adding an ACL entry for each teacher to have update permission over that school's calendar (approach #1)? Or is it possible to define school A group, assign every teacher in that school to that group and give the group write permission over the school's calendar (approach #2)?

Approach #2 is preferable because approaches would generate the same amount of records for a single item like the calendar, but if another item was shared (school A's message board for example) approach #2 would only require 1 additional record, approach #1 would require new records for every teacher and harder to maintain if a teacher is removed or added (2 deletes/2 updates).

Answer 1

You can grant permissions in spring acl to granted_authorities. Basically, by virtue of being in a certain group, you create a granted authority for that group (either explicit or implicit). The users who are part of the group get the GA. Permissions are assigned to the GA. If the user is removed from the group, remove the GA, and they will lose the access.