> > The problem I am having is how to grant privileges to users to

securely

> allow them to see only the records in selected groups and their

children (in

> much the same way as a secure file system works).
>
> You can iterate over your parent_item fields inside a stored

procedure and

> that stored procedure can check for permissions.
> It might be better not to include this into the database, but keep

it in

> your application layer.
>

I am worried that checks like this will produce a big hit on the
performance. Also, I would like to do the security in the database
so as to stop users without the correct prvileges accessing data
they do not have rights to via a third party application.

I currently have something like you suggested. I give each users a
list of "root groups" that the application checks for when
generating the tree. This stops them seeing any records in the tree
that they're not meant to. However, they can still run reports that
allow them to see every record in the table. This is what I want to
avoid.

> From what I am doing, I think database facilities end when it

comes to group

> permissions, where groups can include other groups...
>

I agree, but am hoping that there is a clever way to implement it.
I've been thinking along the lines of using views and stored
procedures, but can't solidify the ideas into a concept ;o)

I'm sure that somebody must have done something like this before.

> Remember, that standart sql security only defines special rights

to complete

> tables.
>
> Regards,
> Steffen