[security-dev] Creating additional entities in IDM

One of our requirements is that we will need the notion of a OrganizationUnit, similar to an LDAP organizational unit. Essentially a more strict grouping (a group/user can only belong to one ou). Additionally, roles would be applicable to the OU in a similar way to groups, so that users within the org inherit the roles assigned to the OU. Are there any examples where we can augment the IDM model to support this case? We are using JPA as the persistence layer though. Thanks, Anil