> I am worried that checks like this will produce a big hit on the
> performance. Also, I would like to do the security in the database
> so as to stop users without the correct prvileges accessing data
> they do not have rights to via a third party application.

That will be a problem how ever you do it. Since SYSDBA can always see
the data :)

Personally I would look at a table of records with an ID number for
each, and a separate table with the tree, just using the ID numbers
rather than your VARCHAR field. The tree can access the necessary
records, but the record would also have a field for the branch of the
tree it is in. You can then use THAT to restrict who sees what. If the
number of branches are not too great, then you could probably produce a
VIEW for each area and only allow a user to see data from a particular
view. I've only got four ROLES, so only need four views ;)

--
Lester Caine
-----------------------------
L.S.Caine Electronic Services