I work for a growing company that has several Rails-based SaaS applications. In it's growth, the company is going after larger clients, and one of the features that has come up as a requirement for these large companies is more sophisticated user management to ease the management of their thousands of users. Right now, client membership is simplistic and completely flat, and we've been asked to replace that with a customizable nested user-group-role management system capable of modeling any (reasonable) corporate hierarchy. We expect this to be a colossal undertaking.
To complicate matters, the company is trying to grow the business into a "platform" so we've taken on a few mortar projects to glue our existing and future applications together. One of these is a user-group-role management SOA project that all of our platform applications will use via web services rather than implementing their own.
I realize that implementing user-groups is not a new problem, so I'm interested in horror and success stories, and, of course, recommendations. What's the zeitgeist? Does anyone have any recommended reading? Should we roll our own RDBMS schema to handle this system, or should we implement something like LDAP?