Spring Security solutions for hierarchy tree roles

[ysihaoy]

I know Spring Security is good for standard role and permission based authorisation. What I'm not sure is this scenario:

There are 10,000 employees managed in the system, employees organised into an org chart (a tree of who reports to who across departments). Some of these employees are users. These users are only permitted to access employees in their line of responsibility (their branch in the tree / a descendant of their employee).

So I am wondering how do modern J2EE (or other) systems manage these checks? Can Spring Security (ACL) do this and How can it be modelled?

Our old implementation (many years ago) is when a user accesses an employee we can check whether the requested employee is a descendant by recursing up the tree. But this is not the ideal solution and we want to use a new solution.

[spgmx]

Look into package org.springframework.security.access.hierarchicalro les.