At present, privilege check methods such as those in org.picketlink.idm.model.basic.BasicModel (e.g. isMember(), hasRole(), etc) only perform a check for direct assignment. Indirect privileges, such as those gained from being a member of a group are not currently supported.

The @InheritsPrivileges annotation is intended to allow identity classes and relationships to be configured with a "chain" of privileges, from which a determination can be made as to whether an identity is entitled to a privilege which may be assigned indirectly via a group membership (or other relationship type).