...
The "Group" object in Grouper is close to what we need for entities, they are in the namespace, they have some privileges (only ADMIN and VIEW are needed), and they have UI/WS support. The implementation of this enhancement is to have a typeOfGroup option as entity. Currently for v2.1 the options are "group", "role", and "entity".
The implementation of groups in the database has entries in the grouper_group_set table for each of the possible "lists". The only grouper_group_sets for entities are: admins, viewers.
An entity is modeled as a grouper group object, but you cannot ad members to it, and of course you cannot add role permissions to it. Though of course if it were a member of a role, you could add individual permissions in the context of that role.