The big evil in software - assumption - strikes again! Every assumption begins with an ass, this time the ass was me. I assumed a security setting was available in a specific app, yet today it was pointed out that it is not. So here we are late in a project designing the least of evil implementation in order to hack it in. Note that our preferred implementation requires ripping out the application authorization implementation completely and using a custom role provider, however that is completely out of scope.
So, we meet up in the middle somewhere. But what can you do? Do you spend the time up front doing all the research to know for all of the features that are being implemented in a 3-4 month-er!? That would add a month at least to the schedule. Or take on a few surprises...or never do a 3-4 month-er. Break dem dere requirements up into smallest chunks and flip em out to prod in little bitty chunks until you get what you want.