The way we have our security setup in Sitecore, we have departmental roles that, through inheritance, define security on specific site sections. For instance, role "A" has write access to a section of the site, while role "B" has write access to a different section.
Let's say we then have a workflow we need to attach to these content items. We have specific "Functional" roles, like "Author" or "Approver". Authors submit content to be approved after they draft it, approvers can't touch it until it reaches the approval state and so on and so forth. If I need to "Author" content, I have to have roles "A" and "Author", or "B" and "Author."
This works well except for when people need specific roles for a department. If I need to "Author" "A" content, and "Approve" "B" content, I have to have roles: "A" "B" "Author" "Approver." The problem is that there's no way to tell the system that they need to be prohibited from "Authoring" "B" content, or vice versa.
It seems like the only way around this is to have "A Dept Author" and "B Dept Author", etc. roles, but it seems like as the number of departments and functions increases, this will become a maintenance nightmare. What is Sitecore best practices regarding this seemingly common situation?
Thanks.
Edit: We are using the latest rev. of Sitecore 6.4.