Sorry I can only type English from my employer's PC.
I suggest using a separate database to maintain "权限管理" policies. "管理员" can maintain the whole database; "领导" maintains the policy data of his department. Authorization is done by a service that inquires this database. It is separated from the business logic thus it can be changed anytime. Also you can define very complicated policies with a program language.
The drawback is that the whole system will not work if the policy inquiry service is down. What's more important is how to implement the whole system in a secure way.
Actually I think this is generic enough to start a new JDon project:) BEA has a product called WebLogic Enterprise Security, I guess it provides more commercial functions.