Well, I was thinking if the end user wants to give a higher resolution on what to allow and what not, he/she could add flags corrosponding with new user groups in the active directory. this would make the security setup of the app very flexible.