I need a finer grained access scheme for granting or denying access to contacts that CiviCRM is likely to allow in the near future. So I've created a Drupal-based access scheme to allow this.
The easiest way for me to proceed is to manage access to CRM data solely via Drupal-based UI, and keep non-authorized users entirely out of the CiviCRM-based UI. This would likely be implemented by a simple access check on the main menu handler in civicrm_menu().
Currently, this is done by checking the Drupal permission "access civicrm". But this access is used very widely throughout CiviCRM, and denying a user this access would hork API access as well.
I can probablly do this as a patch short run, but it would be very helpful if this were adopted into the main tree, since it makes a lot of access related problems go away for most applications.