My company recently bought PPM. They like it for the most part but have a new requirement.

The problem they are facing is if they use roles then anyone with that role can see the project but they want access to be configured for each Project at row level. The reason for this is they have vendors working on their Projects and they don't want them to see what other vendors/projects they are working with. So basically the Project Manager will decide who can view/Update a Project. Each Project (and related records) will have its own list.

The way I am thinking about designing this is to add a read/write watchlist macro on the form and have Project Managers maintain it. I can turn off all role based security or/and add an   ACL that checks if     'User belongs to the list on project' and it looks like I have to add this ACL to all related records to inherit this security   (Or maintain a seperate list on each record to provide individual access.control) This would totally override the role based access, I figured I wont need roles since all of the access is controlled by the list on the Project.

I see a lot of limitations and drawbacks of this design as well as but can't think of any better solution.

Looking for any solutions/recommendations/suggestions..