You may like to look at role based access control as another option. (This may be similar to the capability comment above - it sounds close but I'm not sure).