We're building/designing next generation of our sales/ordering/CRM system which comprises of entities like customer (customer hierarchy in particular), order, promotion action, ... Each user of the system should have assigned one or more customers. Users should be organized in a form of organizational hierarchy. The system should control access to customer-related entities according to current user settings. The problem is that it should work in hierarchical way in both customer and user directions. That means that if user has assigned customer X from the hierarchy, he should be also able to operate with all childern of this customer. And in simmilar way with users - a manager should be able to operate with all customer-related entities which are allowed for his subordinates.
I'd like to use Rhino Security for restricting access to operations over entities in the system, but I'm not sure if it's suitable for this complex scenario. My current mind state is that it should be possible if I'm able to develop some background process (probably service-bus based) which would be able to generate entity groups for all new/modified entities. However this means that there will be quite a huge amount of entity groups without any good intent background. There won't be groups like "customers which don't pay bills" etc, but just groups like "customers for user X", which would contain all the allowed customers. There will be some other operations which would be controlled in much more Rhino Security-standard way like "only managers are able to invalidate a customer" though.
I'd appreciate any thoughts on this problem...