Setting up computers scattered over the globe, in LAN, WAN etc.
The need seems to be to have one super "root" (and a delegate or deputy) who has access to everything and local "root" (and a delegate as above) who has access to local machines etc.

This could get rather complex and I wonder if there is anybody who could have advices or advise good material to learn from. It seems the usual permissions wouldn't really solve this problem.

What I probably need is some broad ideas as I cannot visualize a solution easily. I know of the existence of ACL but I'm not sure if it's the answer or not.

Thank you for your help

Does everyone actually need full root access? You may wish to explore the use of "sudo". This allows you to grant access to users to run apps as root without actually giving them the root password. Another benefit is it logs everything so you can later see who did what if something goes wrong.

If you do need full root access a couple of ideas:
1) Create a "Security Server" to which only the global and his delegate have access. On this make everything secure and put an encrypted file (vim -x filename) that has the passwords for all systems. (We did this at one place I worked.)

2) Use a common root phrase that is modified based on location or machine name (insuring only the global and the delegate know this is the method). Give the root password to each local and delegate only for their location.
Example:
common component: Pap3r
local identifier: First letter of city, First letter of country.

Password for Syndney Australia would be sPap3ra.
Pasword for New York City USA would be nPap3ru.
Password for Rio De Janeiro Brazil would be rPap3rb.
Password for Nairobi Kenya would be nPap3rk.

Very easy to remember for everyone involved. It is possible you'd end up with duplicates but they wouldn't be everywhere so it would be happenstance for someone to get to the right one unless they knew the local identifier methodology - that's why you restrict the knowledge of the methodology to the global and his delegate. You can make it even less likely by choosing something less obvious but easy for you to remember.

Thank you for your answer, a combination of "sudo" and passwords as you describe sounds like a good solution.