I was wondering if anyone had done this before: applying TRM principles to security.

We're working on designing our repository, and HR mentioned that an ideal setup would be to allow a person's manager to access HR records that a manager needs access to. for simplicity, let's say 50% of employee records could be shared with a manager and 50% is for HR only. We could create a personnel folder with a "HR only" folder within it and set the security as appropriate; however, thinking about TRM, what about using metadata to assign the security?

Essentially, all record shortcuts would be accessible directly in the personnel folder, but whether or not a manager had access would depend on where the document was in the backend (which would be determined by a metadata field which would kick off a workflow to file appropriately). 

In the end, the configuration and training may be too complex making the "HR Only" file the better way to go, but just thought I'd put this out there.