Hello,

I am a happy user of acegi. On big enterprise applications it can be complicated to manage user permissions. Suppose I have several companies on an document management system. On each company a user can have different roles. A particular user can be the ADMIN for his company, while can be an external employee/consultor for several other companies, or even can collaborate in just certain projects of some companies, so hi/she must've access to the corresponding documents or can be invited to read a single document. This is just an example.

I would appreciate ideas relating to:

-simple db schema for roles and items (user|role|item [company, project, document...])
-granting authorities at login
-security proxies or method interception policies
-verbose messaging or exception throwing "you cannot access this document because..."

Sorry if this is too vague any hint/link/tecnology suggestion is welcome

thanks