I have a time recording database system. All data is entered via web forms to an oracle database.
Basically there are three program parts: the data entry, the data checker, and the report generation.
The only security in place is a table holding login details (username + password). Oracle security can't be used cause the DBA has yet to give everone an oracle account (maybe some day though).
Everyone has access to the data entry form, some also have access to checker and some options on the reports, others may have access to reports, but not the checker. What I wan't to know is how i should break down this into security levels.

I would like to add a single column to the login table with the access permissions, but the rights don't increase in a logical order (ie 1-9).

Also, does anyone know of any good guides on designing multi level security systems?