The final piece of our centralized Authentication and Authorization strategy is a security server that allows a client with an OAuth2 Bearer token to access the user-group system, role-permission system, and to authenticate to our applications on behalf of a user using JWT. We're still working on a UI that will allow delegated administration (we've got 200k active users to manage) so that a manager will be granted the right to administer certain roles-permissions and it's then their responsibility for making sure their employees have the appropriate permissions.
We're in the process of adding ABAC style permissions so that we can manage user access in n-dimensions while slicing data (an employee might be allowed to manage financial data per the RBAC roles they're assigned but we also need to make sure they can only charge expenses to accounts that they're responsible for and potentially to apply limits to what they can spend without higher approval).
The first parts of our system are functional and we'll be rolling several applications with simpler permissions out over the next two months. We've actually been thinking about this problem for over three years, implemented the first of the ANSI RBAC roles over two years ago and we're finally getting the last pieces in place to make the whole system work. The only outstanding question is whether we can create a centralized UI for managing ABAC controls since these controls commonly require the context of the external application to make any sense.
In any case, I hope the two links below help!
[1] http://csrc.nist.gov/groups/SNS/rbac/documents/draft-rbac-im...
[2] http://directory.apache.org/fortress/
P.S. I should also mention that the system that's been running for two years now provides RBAC for over 3M users with our non-privileged accounts.
