Looking for Domain Permission Framework

time to read 2 min | 244 words

I am currently building a project that needs a permissions framework. The overall idea is that you have a user, an object and a set of permissions, and I need to verify whatever a user has or hasn't the specified permission on the object.

Problems:

  • Permissions may be granted to a group, and a group may aggregate other groups.
  • Aggregates always has their own set of permissions, but some permissions are inherited to child objects, some do not.
  • Permission may be granted on a group of (unrelated) objects.
  • Need for deny permission.
  • It has to perform well for large amount of permission queries (I want to call it over set of objects returned from a query).

I considered AzMan, and it would be great, but as far as I know, it handles only roles, not permissions on objects, and while I could handle this using some sort of a naming convention, I would rather avoid it. Creating objects in Active Directory and using Windows Permissons on that is also not a good idea, most probably.

Any suggestions?