I think you'd be better served with a group level scheme.

explain how you mean group level scheme a little more please

The problem with a group level protection as I understand it is

I am a member of group A

You are a member of Group B

I as a member of group A am allowed to see C,D,E and F

You as a member of group B are allowed to see G,H,I and J

now how do I grant you access to view C without allowing you to see D,E,F

now in a prefect world we could say you have access to C so you should be able to see D, E and F as well but that is not the case I need a very very flexible protection scheme.

It is for an intranet application and Supervisors delegate certain portions of there duties to the peer mentors however each supervisor and there adjoining Peer mentor do this in there own way and not every Peer mentor has access to the same things.

I can not change the way they do buisiness so I am trying to provide them with a very flexible back end that can handle this.

With a group level scheme you would give all the people in group a the ability to view document c, now when someone new comes along you just add them to group a and they can view all of group a's stuff.

and whatabout someone who is actually a member of group B how would I give them access to just C without the rest of Group A's persmissions?

you can create as many groups as you need.

In a group based protection scheme each person should be a member of at least three groups

1) General - everyone belongs to this group
2) Themselves - a group containing only themselves, this way if they need some strange rights you can accomodate it
3) Their department - self explainatory

If you're confused about how group access works think of it like use windows built in protection to protect different sections of the site.

alright that makes a little more sense however that seems like alot more trouble then what I am thinking of. I'll have to chew on it for a little while.

it will be a lot harder to put into place but in the long run you'll be glad you have it.

Think about it accounting has access to 300 documents.

Your way you have to manually give a new member of accouting access to those 300 documents.

My way you just make them a member of the accounting group.

alright so if I am following correctly each page would be assigned a group ID or several Group ID's that correspond with each individual group. But how does this account for the individual persons group as per your prior example?

If I want a new person to have access to a page outside of there normal group scope I hvae to indivually add them to that page's allowed List?

it sounds like a lot of administration on your part, but you could create the table like

url | link_name| menu_order | allowed_users

then add each user id of the clients who are granted access to the page to the allowed user field like ",1,2,3,4,".

then generate the menu dynamically like:

 <?	$result = mysql_query ("select * from pages where allowed_users like '%,$session_logged_in_ID,%' order by menu_order asc"); 


while ($row = mysql_fetch_array($result)) 
{
$STRurl = $row["url"];
$STRlink_name = $row["link_name"]; 
?>

<tr><td><a href="<? echo $STRurl ?>">$STRlink_name</a></td></tr>
<? } ?>

this is bare bones but you get the idea.

dont know if it's useful, but it's an idea.

you would have database tables like this

users
  id
  name
  <etc>

groups
  id
  name
  <etc>

pages
  id
  name
  <etc>

users_to_groups
  id
  user_id
  group_id

pages_to_groups
  id
  pg_id
  group_id

Now when a page gets added, the groups that can access that page are associated with that page. Users are associated with groups and so users can access pages which any of their groups can access. It all becomes a couple simple queries. The owner of the page should be the one who defines access rights to that page. When someone creates a page they can make it be owned by any of their groups for example.

Joe Smith belongs to groups general, accounting and jsmith
Bill Smith belongs to groups general, billing and bsmith
Alice Smith belongs to groups general, accounting, billing and asmith

Joe Smith creates a document (passed_due_accounts.txt) and makes it be owned by accounting but viewable by billing and jsmith. Now Alice or Joe can modify the document while Bill can only look at it.

Alice creates a document (employee_salaries.txt) and makes it owned by asmith and viable by accounting. So only she can modify it while Joe can look at it and Bill is oblivious to its existence.

Bill makes a document (why_alice_sucks.txt) and makes it owned by bsmith and vieable by jsmith. So only he can modify it but Joe can view it while Alice is oblivious to its existence.

Now let's say you hire John Doe and he's in billing. You just make hime a member of billing and he can view all the documents viewable by billing and edit all of the documents owned by billing.

Is this making sense.