The current implementation of delegated administration relies on Roles, where each Role associates a set of Entitlements (e.g. administrative actions) to a set of Realms (e.g. containers for Users / Groups / Any Objects).

This requires, however, that the set of Users / Groups / Any Objects to administer is somehow statically defined by containment: "administrators with role R can manage users under realms /a and /b" works as long as users to administer are fully contained by the Realms /a and /b; but what if the set of Users that R can administer needs to be dynamically defined, say by the value of a 'department' attribute?

Proposed solution

Introduce new entity: Dynamic Realms and extend Roles to map a set of Entitlements to a set of Realms and / or Dynamic Realms.
A Dynamic Realm is defined by its unique name and FIQL conditions (similarly to Groups). Given that, it can work as dynamic container for Users, Groups and Any Objects.

Upon delegated administrator's authentication, the owned roles will be evaluated (as in the current implementation) and the set of effective Realms and Dynamic Realms for which entitlements are granted will be built.

Known limitations

1. CREATE entitlement(s) cannot be granted via Dynamic Realms: as Dynamic Realms are not physical containers as Realms, allowing to create in a Dynamic Realm would mean granting CREATE in the root Realm
2. UPDATE entitlement(s) can be granted via Dynamic Realms, with condition that any modification to matching Users / Groups / Any Objects does not alter the set of Dynamic Realms such entity is part of
3. DELETE entitlement(s) cannot be granted via Dynamic Realms: as the same User / Group / Any Object can be shared by several Virtual Realms at once, deleting from a Virtual Realm might cause unwanted side effects in other Dynamic Realms

 In other word: the only changes on a given entity, accepted by a delegated administrator through Dynamic Realms, are the ones that do not change any Dynamic Realm's matching condition for such entity.