IME, this is how an enterprise-contender product should generally be built when it wants to touch many domains across the business. Starting with a reasonably rigorous access control model enables deeper business integration--and this is a product that, to be successful, can't live without that.

Man, if only SaaS would do just this instead of reinventing the wheel with their brain-dead scripting languages and limited APIs where they remove useful information and links between data.