Veto invalid permission assignments based on attribute name

Provide a way to veto permission assignments on a Group of type Role on a membership unless a particular attribute value is present to indicate which permission definition should apply, example:

Group of Type role has attribute indicating that it should only be assign permissions from a particular permission attribute definition. If someone tried to assign a different attribute name from a different permission attribute definition, Grouper should veto the permission assignment.

This feature should support the fact that more than one permission attribute definition may be applicable to to a role/membership assignment. However if not explicitly listed, it should reject all others