You can definitely write a JPA interceptor which checks actual field values using equals() during an update operation. (In theory you should really use Type.isDirty() in Hibernate, but that's not portable.) So you would require that the user annotate entity attributes with @Restrict, and imply a permission like (customer, name) from that. Then the interceptor would look at the fields annotated @Restrict and check the permission when the entity is updated. The thing which makes me a bit skeptical of this stuff is that there would only be field-level permissions for update operations, not for read, create, delete. I suppose you could interpret a field-level permission during create as meaning that it gets checked if it is non-null. But read would be *very* difficult to do. Shane, I don't see how Hibernate Validator would help. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4029168#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...