// public only for unit test. TODO: cleanup unit test
    public Grantee(NamedEntry grantee, boolean adminOnly) throws ServiceException {
      super(grantee);

      Provisioning prov = grantee.getProvisioning();
      GroupMembership granteeGroups = null;

      if (grantee instanceof Account) {
        mGranteeType = GranteeType.GT_USER;
        mGranteeDomain = prov.getDomain((Account) grantee);
        granteeGroups = prov.getGroupMembership((Account) grantee, adminOnly);

      } else if (grantee instanceof DistributionList) {
        mGranteeType = GranteeType.GT_GROUP;
        mGranteeDomain = prov.getDomain((DistributionList) grantee);
        granteeGroups = prov.getGroupMembership((DistributionList) grantee, adminOnly);

      } else if (grantee instanceof DynamicGroup) {
        mGranteeType = GranteeType.GT_GROUP;
        mGranteeDomain = prov.getDomain((DynamicGroup) grantee);
        // no need to get membership for dynamic groups
        // dynamic groups cannot be nested, either as a members in another
        // dynamic group or a distribution list

      } else {
        if (adminOnly) {
          throw ServiceException.INVALID_REQUEST("invalid grantee type", null);
        } else {
          if (grantee instanceof Domain) {
            mGranteeType = GranteeType.GT_DOMAIN;
            mGranteeDomain = (Domain) grantee;
          }
        }
      }

      if (adminOnly) {
        if (!RightBearer.isValidGranteeForAdminRights(mGranteeType, grantee)) {
          throw ServiceException.INVALID_REQUEST("invalid grantee", null);
        }
      }

      if (mGranteeDomain == null) {
        throw ServiceException.FAILURE("internal error, cannot get domain for grantee", null);
      }

      // setup grantees ids
      mIdAndGroupIds = new HashSet<String>();
      mIdAndGroupIds.add(grantee.getId());
      if (granteeGroups != null) {
        mIdAndGroupIds.addAll(granteeGroups.groupIds());
      }
    }
 String getId() {
   return mRightBearer.getId();
 }