I've been thinking about writing about this for a while, and a post at 37signals has encouraged me to do so .
Having been involved in designing a number of CMS systems, user content systems, and general business process/management systems, without fail, every one of these has run into huge problems around the issues of permissions.
To illustrate, lets look at a hypothetical situation:
Company A has a content management system , which allows them to update the content on their customer support site.
Now, the basic problem here is simple, allow them to post common questions, and answers to those questions, provide a method for customers to ask new questions, and maybe a small system to display the 'most popular answers' type of thing. Here we've described a 2 week project (not including designer time).
Enter 'the problem' . Who gets to answer the questions Who gets to edit the questions Who gets to edit the introduction/content on the various pages Who gets to edit that content.
Very , VERY quickly, this turns into a blooming tree of permissions. Permissions on objects, that inherit from permissions on object types, that inherit from areas of focus, differences in contributor vs. editor vs. publisher roles, roles per area of focus, etc...
What I see happening here, time and time again, is you end up building a permissions system, not a system to manage the support site. And the question I have to ask is
Is this the business your in?
Are you in the business of creating permissions based editing systems? I'm willing to bet the answer is no. You're in the business of delivering your product, and all you need here is people to help answer the questions. Whether you're building this internally, or paying an outside company/contractor, ultimately it is still your company doing the project, your time and money.
Remove all the permissions, except for maybe admin/not-admin , log who creates/edits content, and move on. Allow it to be a 2 week project; not a 2 month project that will never satisfy the increasingly byzantine permissions needs.
There is a cliché in film, which is that if a crane is rented, every shot is a crane shot. In short, just because you CAN create these permissions structures, doesn't make them beneficial to your business.
It's important to realize that traditional business process, and communication, are still the forces that make business successful, simply talk to people, and have them be responsible for the content they edit/submit, they are the people who run the business!
In the same way that people are responsible for locking the door when they leave, they are responsible for following basic business rules for this kind of exercise. You trust your staff to operate a part of your company, why wouldn't you trust them with this? If you don't , then perhaps your company has larger problems.
Concentrate on the core deliverables of these ancillary projects, and be very skeptical of anything outside that, the 'bare minimum' gets a bad wrap. With the definitioin of bare minimum to mean "the least that can be done to adequately satisfy the goals of a project" , then 9/10 times (especially in areas that are not core), bare minimum is exactly what you should be striving for.
Keep focus on "what is our business" , because if what your doing isn't your business, then what are you doing?