Hi

I'm developing a web app and I'm tring to define how to handle security and roles. I'm describing how I am planning it, and I'd like some advice.

The app will be accessed by three main types of actors: application vendor staff (will manage the application), the application customers (manufacturers, they use the app to do business, controlled by the app vendor - staff people above) and standard web registered users.
Both former types will have various roles, mostly on customer side: master user, HR user, finance user, production user, etc. But users with higher access levels (master, for instance) should be able to create personalized roles and assign them to users (e.g: a production user that can answer customer questions, change certain production parameters, and also view financial summaries). Standard users will have limited functionality.
User identification will be user/pass with DB login module.

As I understand, security constraints and other XML configured security features are not this fine grained. I guess that I should define these three generic roles, and programaticaly through the app restrict access to the methods, accoring to the permissions of each role. This seems quite an ordinary scheme, does Security provides anything over this?

I also thought of using Portal to develop the app, however it doesn't seem designed to handle this kind of permission scheme. I think I could reproduce the correct behavior if I make every user lower than master unable to configure their own portal (forced to use the template), and maybe place all pages and portlets on the templace (unauthorized portlets would be removed from view). But I don't know if I can block portal customization, nor how to allow such functionalities to certain roles, nor restrict certain roles to exist just for a group of users hierarchically linked.

Can anyone give me some insight on this?