Hi,

I have below customized security authorization requirement from business. I'm wondering what the best way to implement this is.

There is organization hierarchy of Business Line, Business line type and teams. Application users can be divided into mainly 4 profiles. Admin, Maintenance, Security Admin, Default. However, Security Admin can create as many profiles as he/she wants by combining different application module pages like audit, various alert pages. Information on some of these pages is editable by user only if one has given access for that page and for that team or above level i.e. If user has given access on business line level one should be able to edit all loan records that has team that falls under the business line. For example team ABC comes under Business line RETL and user has given update access for audit page at RETL level then he/she can edit all audits assigned to team ABC and rest all teams under RETL. Same for (business line -> business line type) and (business line type -> teams) combination. Not all pages are BL, BLT and/or team driven. Some of them are general pages like loan search and queue page.

Can I achieve above goal using Spring security? If yes please elaborate architecture for that. If no, is there any other tool/API that can fit in my requirement?

Thanks for your time.