Organizational Hierarchy -based access control in Spring Security (& hibernate)

Question

There is a scenario in one of the projects I am working on, in which there is a central database that is being accessed by various branches and sub-units within the organisation. In addition to role-based entitlements (like operator, admin, approver etc.) which I am aware of how to tackle, there is a requirement to filter data at the organizational unit -level.

For example, see the organization structure depicted below:

In this scenario, any user working at HQ-level would have access to all the data across the branches in those screens for which the user has access (role-based). However, anyone in Branch 1 can see only data of Units 1.1, 1.2 & 1.3. The same holds with Branch 2 as well. As we generalize this to the next level, a user in Unit 1.1 can access only data of Unit 1.1, but not of the other.

So, is such a kind of access control possible with Domain Object Security or any other mechanism in Spring Security?

I am alternatively exploring a possibility of having an interceptor in Hibernate that will do the necessary filtering. Any help in that front also would be useful?

Answer 1

Open this link :

https://github.com/taylorleese/google-app-engine-jappstart

it is project. You can see spring security file :: https://github.com/taylorleese/google-app-engine-jappstart/blob/master/src/main/webapp/WEB-INF/applicationContext-security.xml