Advise wanted on implementing user rights

Hi.

I know this has come up before, but none of the messages I found specifically addresses the issues I have to deal with (long explaination follows)...

I have a legacy application which implements its user rights fairly simple:
- each user is granted a level from 0 to 9

• level 0 is full access; levels 1 till 9 can be set by the application controller to include/exclude whatever forms the application can present
• a lower level # automatically allows access to forms which require higher levels (sort of contradictionary, but wait). For example, a form requires level 2 to be accessed; a user with level 1 then would also be able to view this form while a user with level 3 access would not

Currently I'm rewriting the entire application (it was written in Clipper) into a n-tier app using business objects. I am looking into moving the data to a SQL backend. I'm thinking of upgrading the user rights to something more flexible so I can specify read/write/delete rights for a user instead of the old all-or-nothing approach.

Q1: should I put the required userrights tables in the same database as the other data or lean toward using a seperate database? The former suggests logging onto the database with a standard username/password while the latter could allow for logon accounts for each user (which presents another problem: most companies using the app do not have DBA's!)

Note: I also need to migrate data from the current legacy application to the new environment. If I implement a very different rights system in the new version I might get into trouble converting the old rights to the new system.

Any other ideas on how to implement a (proper) user rights design are much appreciated.

Tx.

--
Arjan D.W. de Haan
--