How do I create a Drupal installation 'partitioned' into access-controlled sections?

Hi all,

I have a question about how to organize a Drupal setup. I am new to Drupal specifically, and CMS in general.

I have an LDAP server (AD) which defined users and their group memberships. I need a way to 'partition' our setup in such a way as to let users create and edit articles only in their assigned 'partitions'.

For instance, suppose there are two groups, Marketing and Finance, defined by users' LDAP group memberships. I need to set up Drupal in such a way that the following constraints would be observed:

• Articles automatically have URLs which reflect their group-centric categorization, e.g. there should be articles /Marketing/Foo, /Marketing/Bar, /Finance/Baz, etc. The group-named URL prefixes would form the visible manifestation of the 'partitioning'. The partitioning would probably be done via something like categorization.
• When users create a new article, it's automatically placed into one of the 'partitions' according to the user's group membership. If a given user has edit privileges in both Marketing and Finance groups, they should be able to pick which partition the article goes into
• Users should only be able to edit (some) articles within their partition. I.e. a Marketing user may or may not be able to edit all the articles in the Marketing partition (that's still to be determined), but they should definitely not be able to edit articles in the Finance partition.

Can anyone help me understand what it would take to achieve this sort of setup? I understand that I would need to set up the LDAP connector and establish group mapping for it, but beyond that, what would it take to permit me to 'partition' the Drupal installation in such a way as I described above? Are there extensions which make this possible, or perhaps core functionality that I am not aware of which can accomplish this?

The flow I am imagining (and mind you, this is pure imagination) is something like this:

• When a user creates an article, it's automatically categorized based on their group membership, e.g. 'Marketing'.
• This categorization is mandatory and automatic, cannot be removed, and can only be edited if the user has membership in multiple groups.
• Being in a group-based category automatically creates a user-friendly alias for the article based on its category and title, e.g. when a member of the Marketing group creates an article titles 'How to sell snow in the winter', it becomes accessible via URL '/Marketing/How-to-sell-snow-in-the-winter'.

Is something like this -- or any other solution for the problem outlined earlier -- possible, using standard Drupal facilities and extensions?

I already have LDAP, OG, Pathauto, and GlobalRedirect extensions.

Any and all advice and feedback is welcome.