Michele,
We base epesi access control on phpGACL - php Generic Access Control List.
http://phpgacl.sourceforge.net/
Currently we control access for "Internal" users, we call them employees as they usually will be your co-workers, members of the same organization - Main Company. When you start using epesi you setup the first company - Main Company - and first user - the Super Administrator. Even superadministrator should be a member of more than one group: Super Administrator and Employee Administrator is probably the best choice.
Every module can define own rights about who and what can be accessed. For example employee can view data but can not modify or delete it, Employee Manager can view and modify and Employee Administrator can view, modify and delete records. Again this is defined per module, the example below is from CRM/Tasks module:
$this->add_aco('browse tasks',array('Employee'));
$this->add_aco('view task',array('Employee'));
$this->add_aco('edit task',array('Employee'));
$this->add_aco('delete task',array('Employee Manager'));
$this->add_aco('view protected notes','Employee');
$this->add_aco('view public notes','Employee');
$this->add_aco('edit protected notes','Employee Administrator');
$this->add_aco('edit public notes','Employee');
We wrote already some custom module where other access levels are utilized. In general there are 4 groups of users: Guest, Public Users (Customers), Internal Users (Employees), Administrators.
Public user - Guest - in our terminology User. This could be a person who can view your public page, a forum, e-commerce site etc. without being registered. You are basically a guest when you view a login page.
Customers group - similar to User but already has created an account (or the account was created for her/him). At the minimum this could be Customer. Can view and edit her/his own record, maybe orders etc.
Customer Manager - can view her/his info plus of her/his group. Think of it as Manager of one department.
Customer Administrator - can view her/his info plus of her/his group as well as other groups within her/his company. Think of it as Company Manager.
We developed an application (online warehouse management system) where people can login to view what is stored in the warehouse. Customer can see items that their department has stored but can not order anything to be delivered. Customer Manager can also view all items stored by their department plus order delivery of those items. Customer Manager is restricted to one department only but also can add/remove users within her/his own department.
Customer Administrator can do all of the above but also can administer multiple departments and users in all of them. Still she/he is limited to items of her/his company only.
Internal users have similar levels: Employee, Employee Manager, Employee Administrator. However all those levels have higher access level than any of Customers. While Customers are limited to their own company/department records, Employees can view records of all Customers.
Finally we have administrators. Super Administrator is equivalent of "root" user - can do anything. We restricted access for Administrator for some areas - only Super Administrator has access to: Backups, Common Data, Default Dashboard, Default user settings, Mail Server settings, Maintenance Mode, Modules Administration and Notes and Attachments control. We did not use Moderator level yet.
I understand that it may seem confusing however those levels are necessary for our future plans and implementations.
Your question #2: We don't have this functionality out of the box. It is possible however to modify rights within the module to accomplish this. I myself am looking for this type of functionality and will be implementing this in the near future.
Question #3: Yes, it is possible. You need to provide more information though what do you want to accomplish. We have a module where if you are one of the Project Managers it will automatically show you just projects that you manage, but if you are not a project manager you will see list of all projects. This is controller by Groups within contacts not by phpGACL. Below is an example of the custom function within display method that does it:
// Check if a user is Project Manager
if(isset($projman[$me['id']]))
// set filter to show just my projects
$rd = & $this->get_module_variable('projman',$me['id']);
else
// set filter to show all projects
$rd = & $this->get_module_variable('projman','all');
I hope that this clarifies some of your questions.
