Just to make clear what I mean with “dynamic role” is something like this:
roles:
'Passcreator.Passcreator:BasicUser':
dynamicPrivilegeReader: 'Passcreator\Security\Foo\Bar'
privileges:
-
privilegeTarget: LoginActions
permission: GRANT
The “dynamicPrivilegeReader” (forget the name for now 
) would then return an array of privileges (PrivilegeInterface) that will be dynamically added to the privileges defined in the Policy.yaml which means the Role DTO of Flow would need to call a function of the class specified as privilege reader.