I am developing a GWT application which im using Spring Security to handle the authentication. My application will have 5 users each with different roles.

1. Superuser – This is the site owner and has read write access to everything.
2. School owner – This is a person who owns school(s) that will use the application. This user has access to all their school(s).
3. District manager – This is an employee of the site owner and has read access to the schools in that district. (A district is a physical area with a number of schools)
4. School manager – Manages a particular school and has read and write access to everything on that school. Access is given by the school owner.
5. Instructor – Has read and write access to only particular areas assigned to him/her by the school manager.

Ive taken a look at different ways to implement such a security model and I’m torn between two ways of solving it using Spring security, first there’s the complex way of doing it by using 4 database ACL tables as explained on denksoft blog

The other way is to use Expression-Based Access Control through Spring security Expression language which is much easier and doesn’t require extra database tables.

MY question is, from what I intend to achieve, which option is better to use and would give better results. I assume using the first option (using database ACL tables) offers more customization. I’m from a RoR background and wonder why i’d need so many tables to achieve this. Is the Expression language option a viable solution for this scenario. And if so is there a nice starting point/tutorial for this? Advice is highly appreciated.