We are building our new intranet on Drupal. We are a group of companies, i.e. our organizational structure consists of sub-companies, which again have sub-companies or departments, which also can have sub-departments and/or employees belonging to them. We need to have this organizational structure in our Drupal-based intranet system, both:
1) in terms of content: displaying the corporate structure as a hierarchical list of companies, sub-companies, departments; displaying employee listings per company and department;
2) in terms of access control: for every node (blog, news, photo, etc.) it should be able to define what employees, departments, companies can view/edit/delete it.
Now my problem is not how to achieve 1) or 2) separately: For 1) displaying the corporate structure in terms of content, I could create content types like "company" and "department" and link them together with node_references and user_references (or even using a taxonomy) then using Views to generate certain listings; for 2) achieving access control I could create a role for each company and department and use a module which allows to define content access per node.
However, as the corporate sructure has to be dynamic (new employees come, new departments are created, employees change to another department, etc.) I do not know how to bring these 2 pieces together avoiding redundancies. Handling them separately would mean that e.g. for a new department: an administrator 1) would have to create a new department node and defining the user_references, then 2) create a new role for that department and adding users to that role, which would create redundancies (e.g. when a user changes the department, admin will update the user_reference field to the new department, but might forget to update his role membership to the new department, i.e. he will appear in the correct department listing (the content part) but will have the wrong rights (access control part)).
I am looking for a solution (ideas, modules, etc.) which bring both parts together.
My ideas so far:
- Using Rules: When a new Department node is created, a new Role with the same name is created; when a user is added to a Department, a Rule also triggers his assignment to the corresponding Role, etc. However, it seems somewhat fragile to me.
- Using OG (+ additional modules): As far as I know OGs are node, so I could create a hierarchy of OGs to build the corporate structure, while the OG itself provide the access control. However, it seems somewhat too heavy to me.
- Taxonomies + some taxonomy-based access modules: Well, I don't know.