Basically looking for ideas on access-control of objects. I assume this kind of problem is common, but I don't see modules for it. Sorry if I don't explain this well.
I work on a CMS, when I'm not too lazy :). We have objects like "Story", "Workflow", "Desk", "User", "Element", ... These correspond to one or more database tables. The permissions are mostly object-specific, so a user or group will have READ or EDIT or PUBLISH permissions for a Story, say. In some ways it's a nice system, but one thing I don't like is there's not really a natural way to make the objects hierarchical. For example, if a Desk is in a Workflow, I'd want the Desk to inherit permissions from the Workflow. Another thing I dislike is that we basically have to instantiate all the objects before filtering out the ones the user doesn't have permission for. I think I'd prefer something like a JOIN in the database to take care of that.
The best approach I've found so far is probably what's known as role-based access control, though this is just an idea rather than a module/implementation. Someone also mentioned LDAP, which I need to get up to speed on (I associate it with sysadminny things like single sign-on but not with object-level use in an application). Any other ideas? It seems like something that must be common in Catalyst applications, for example.