Hello Guyz I am trying to design a privileges based system for our intranet. At a high level following functionality is required. The organization has hierarchy across departments and strategic business units of various depths. Users are attached to any number of hierarchy positions. At the last level we have projects were the bulk of the users are attached. Ex. 1: The same user could be heading the company and so would be attached to the Corp. hierarchy (top level). He/She could also be the head of quality and so will have an attachment at Quality Dept. level. Ex. 2: The same person is attached to various projects under different Strategic Business Units (same level as Department: Ex. Production 1 at the same level as HR) performing different roles - Ex. he/ she is a manager in one project and a team member in the other project. What strategy will enable us to ensure that people do not have access to data in hierarchies were they have no privilege. Obviously a boss automatically have access to subordinates data. Also some of the information is key, ex. Salary figures. So though the person might have access to employee details but for some roles we might want to restrict visibility of such key data. Please provide your insights on the implementation of such a system Cheers Jayram
------------------ What if this is as good as it gets ?
The scenario you paint is implemented via access control lists/role based security. What you would do is to attach "grants" and "deny's" on objects that you are protecting. A collection of "grants" and "deny's" will be your ACL. Most databases implement such a security scheme. If its web pages that you're protecting, you might want to look into Apache Turbine for inspiration. Pho