Rails - Help for design: application with different user privilege levels

This is my first question on stackoverflow, it is quite generic, hope I can get suggestions here.

I quickly made a Rails3 administrative-only application, mostly used for data-entry tasks about heating plants maintenance. It consists of about 10 models and I widely used scaffolding and resource nesting to build up a single full privileged user (admin) application. Mainly there is a system model, with many child models, and each system belongs to an operator.

Now I need each operator to login and manage his own systems, - almost - exactly how the admin user can do, but restricting privileges to systems that belongs to that operator.

Now the question... Should I:

(1) Filter data in the model's scaffold generated controllers?

E.g. (don't care about syntax, just to give the idea):

def index
  if session[:operator_id]
    @operator = operators.find(session[:operator_id])
    @systems = @operator.systems
  else if session[:admin] == true
    @systems = System.all
  end
end

(2) Write different controllers for operators restricting privileges?

Replacing the scaffold-generated structure with one folder for admin's controllers with e.g. System.all statements, and a second one for operators' controllers with e.g. @operator.systems statements.

(3) Split in separate applications?

To save the scaffold-generated structure?开发者_Python百科 You are saying NO!NO!NO!, right?

(4) Hope to get a better suggestion from stackoverflow expert users?

Thank you all...

From performance point of view filtering rows by operator like you showed in 1 is best.

For security reasons you should also do checking in before_filter of you controllers, so operator 1 can't view others operator data. For example if system 1 belongs to operator 1 you need to make sure that operator 2 can't type in browser systems/1 and view data (assuming system/1 is :controller => :system, :action => :show, :id => 1)

If performance isn't big issue you can take a look at Authorization plugin, it allows role based object instance authorization with cool syntax for checking rights :)