It seems to me that the aD design goal for the permissioning system was to be able to reach into one table or view and pull out a yes or no answer: permission to read, or not, or 'Can object A perform action B on object C'. Essentially this is done by counting at least one row in acs_object_party_privilege_map. This view is a join of two other views (acs_object_grantee_priv_map and group_member_map) unioned with one of the views (acs_object_grantee_priv_map). acs_object_grantee_priv_map is a join of two other views, etc...
Permissioning is either a difficult problem, or one that isn't solved very well in ACS. Although many times aD points out the state of the art for certain problems, I haven't seen a real discussion on this one.
The other day I setup an OpenLDAP server to work with the Netscape Roaming profile schema. I had to set one permission record in the startup file. This one record serves to configure access for all clients!
I don't really know if ldap is an answer, certainly not a simple answer. I just wonder how permissioning is done so easily in this application, and so painfully in the RDBMS world.
