Adding customizable user-groups and ACLs to your web app(s) (the smart way)

I work for a growing company that has several Rails-based SaaS applications. In it's growth, the company is going after larger clients, and one of the features that has come up as a requirement for these large companies is more sophisticated user management to ease the management of their thousands of users. Right now, client membership is simplistic and completely flat, and we've been asked to replace that with a customizable nested user-group-role management system capable of modeling any (reasonable) corporate hierarchy. We expect this to be a colossal undertaking.

To complicate matters, the company is trying to grow the business into a "platform" so we've taken on a few mortar projects to glue our existing and future applications together. One of these is a user-group-role management SOA project that all of our platform applications will use via web services rather than implementing their own.

I realize that implement开发者_开发知识库ing user-groups is not a new problem, so I'm interested in horror and success stories, and, of course, recommendations. What's the zeitgeist? Does anyone have any recommended reading? Should we roll our own RDBMS schema to handle this system, or should we implement something like LDAP?

If you roll your own RDBMS schema, the performance and scalability is all up to your implementation. Instead you could use LDAP. You dont need to implement the LDAP (or below x.500 directory service). There are existing servers that can be used like OpenLDAP. If your company can afford you could use eDirectory from Novell or AD from MS. eDirectory supports some nice feature called dynamic groups. You may read that from here http://www.novell.com/coolsolutions/feature/5414.html.