[Using Sakai] Roles and access permissions...

[Gregory Guthrie]

I want to have some reports we use which run from an external tool (to the database) allowed only for users with certain Sakai permissions.

For example I would allow anyone with admin status to get a report for any site (or realm?), and for any specific site any instructor (or evaluator, program admin, ...) can get a report. 

The basic idea is that when someone asks for a report on a course, we would ask Sakai about their permissions on that site, and use that to decide on authentication (allow them to get a report).

But I am mot sure of a few points (or more...!?);
   - are there global roles? i.e. not site(course/project/...) specific?
      e.g. can someone be an "admin" which trumps any specific site permissions?
  - can one user have multiple roles on a site (like an ACL?)
       (I think no, just checking).
       For example could a student also be a TA?

Then I will need a webservice to get this information, I see several candidates, but have not tried them yet.
Basically the reporting tool will have a course name, and then want to check permissions.

Am I approaching this correctly, and any suggestions on a best solution?
-------------------------------------------