Thank you for this hint. I do not have any experience with LDAP but of course it would be an interesting callenge to learn more.
2011/3/21 Joe Barnhart <joe.barnh...@gmail.com> > Isn't this a perfect example of a place to use web2py with LDAP? > > -- Joe > > On Mar 20, 5:22 am, Martin Weissenboeck <mweis...@gmail.com> wrote: > > Hi everybody, > > I have the following problem: I need some kind of hierarchical > > authorization. > > > > This is a simplified model: > > Company C001...C500 > > Departement D01...D15 > > Group G01...G40 > > Person P01...P30 > > > > Not every company has 15 departements, not every departement has 40 > groups > > and so on, but the whole program should work with up 200.000 persons. > > > > Now some authorizations: > > > > - Every person is allowed to change most of (but not all) of his > personal > > data. > > - Some persons are allowed to change some data of the members of a > > specified group or some groups or a departement. > > - Some persons are allowed to send messages single persons or to the > > members of a group or some groups or a departement or a company. > > - Some persons are allowed to change all data of the members of a > group > > or some groups or a departement or a company. > > - Some persons are allowed to do everything (including impersonate) > with > > all data of the members of a whole departement or company. > > - ... and so on ... > > > > One person could be identified by a string field like "C003:D03:G12:P15". > > > > I think I could use the authorization and the decoration of web2py to > allow > > one person to modify data or to send messages. > > > > - But how could I use the authorization e.g. to modify only some data? > > - And if somebody is allowed to change some data he should only see > these > > persons he is allowed to make modifications. > > > > A sql-statement "where ident like 'C003:D03:G12:%" could do the job. > > > > - But would it be fast enough for 200.000 persons? > > - Is there any way to use theauthentization mechanism for this > problem? > > > > Regards Martin >