I think some clarification is in order for the several "Permissions has problems" posts. Specifically, several people have talked about design & redesign, and I *think* they mean they like the requirements and goals of the system, and just need it faster.
http://acs40.arsdigita.com/doc/acs-kernel/permissions/requirements.html vs.
http://acs40.arsdigita.com/doc/acs-kernel/permissions/design.htmlLooking at the requirements doc, one sees that the system answers more than "Can A do B?". Answering "Can A do B?" seems to be where most permissioning systems stop; I like that this one makes it possible to answer other questions (from http://acs40.arsdigita.com/doc/acs-kernel/permissions/requirements.html ):
"Which parties may perform operation O on target T?"
"Which operations may party P perform on target T?"
"Upon which targets may party P perform operation O?"
These questions occur less often, and so thus could afford to be slower than the primary question, but they're still important and shouldn't be forgotten, and are awfully hard to answer without a table in the RDBMS to query against (which is also a requirement for writing queries that only return appropriate objects - basically any system that isn't in the RDBMS would suck because a lot of filtering of query result sets would be required).
ADSI doesn't seem to be an answer because it looks like LDAP - "Give me info about Bob, please" and doesn't seem to answer things like "Who can read my document?" or really be meant for controlling access to items on a finer scale than a bunch of items with a few groups each (as opposed to a zillion items and a zillion groups). If I'm missing something, please point it out, I've only read their interface whitepaper (and fail to see what it does beyond replace LDAP).