Sorry if this seems like a strange requirement ... but here you go.
Basically - is there a way to delegate the Cloud Groups Information for a User to a custom Application, instead of having it mapped to (for example) LDAP Groups ?
In the Cloud portal we define Roles. The Roles gets mapped to Groups, and those groups gets mapped (in our case) to LDAP Roles.
So far so good.
Now there is a requirement where a single LDAP Role would dynamically result in more than one Groups. The reason for this is that in very large environments (100.000k+ Users) the customer would prefer to have 1 generic LDAP Role "Portal_Permission" (which would just give the user access to the portal page), and delegate the resolution of this LDAP Role into Cloud Groups to a custom Java Application.
One example is delegating functions. If person A is in holiday and person B takes over (which in Cloud means person A also gets the Groups of person B) we need to update LDAP Permissions (which are seen as rather "static" in this environment and take their time to propagate thru the different LDAP instances).
With the "Adapter", we would just have to update or DB (or the rules in our Java adapter) and the LDAP Mapping would result in the correct Groups assigned to the User.