Peter, the thing you are missing is that in a lot of cases (in fact almost every case) the permission is not granted
directly, a given user has or doesn't have it by virtue of
being in the right group and the object generally inherits
the permission from another object.
To get it right, if you add or remove someone from a group
you would have to flush all permissions for that user
(strictly speaking you might be able to hold on to some
but I think that would cost more than just flushing
them all). If you change permission on an object you would need to flush all the ones on that object or any object that inherits permissions from that object.
As it stands, granting and revoking direct permissions via
the tcl api will flush properly, and I made a couple other
operations flush as well but really getting it right is quite
hard.