as suggested by @keul, you can use redomino.tokenrole
.
If you want to integrate the tokenrole
feature with a PloneFormGen
you might consider to have a look at redomino.tokenroleform
(https://pypi.python.org/pypi/redomino.tokenroleform):
It is a custom plone form gen adapter that let you share a private object via token.
I don't know if redomino.tokenroleform
fits your use case.
But you can browse the code in order to understand how to add a tokenrole programmatically.