Thanks @der.einstein for your suggestins. Are really valuable, indeed.
modal window for electronic signature: I would just “force” the re-authentication of current user by only prompting for password, without the need of username.
User rights for each different role: There is no specific “configurable” view for this in SENAITE, but a rolemap file (see available permissions). With enough skills, one could configure the system with new roles and with desired permissions. New permissions might be required.
Ability to link LDAP users: Already supported. Look to plone.app.ldap and/or pas.plugin.ldap. Also a post here: Implementing LDAP
Is this something, that can be easily done via customization, or is re-coding of deeply buried code required here?
The meaning of the word “easy” strongly depends on the perceived complexity of a given problem or solution. Thus, it can drive to false expectations. These modifications are doable, but not something that can be done by adding some snippets here and there. Rather, require a skilled developer with experience in SENAITE, plus time and effort.