Adding permissions to django users which have add-on models

I w开发者_JAVA技巧ill be creating an intranet site with multiple roles (client-employee, client-admin, staff team member). Each role will have a model that attaches (via One-to-One or ForeignKey field) to a user with custom fields. I want each role to have it's own set of permissions (like a group).

How can I store this permissions set inside my application. Groups seem to be defined as part of the contrib.admin app rather than in code. I couldn't find anything in documentation on how to define a group.

What is the best way to handle model level permissions. Maybe I could do a check in the model if see if the user has the right role-model.

Access control lists are tricky (some say dead), but Django comes with a good default implementation in contrib.auth equipped with:

• Users
• Permissions: Binary (yes/no) flags designating whether a user may perform a certain task.
• Groups: A generic way of applying labels and permissions to more than one user.

A more detailed introduction can be found here:

• http://parand.com/say/index.php/2010/02/19/django-using-the-permission-system/