Patterns / design suggestions for permission handling

Question

We have a rather complicated system of permission handling in our (ASP.NET web) application. Users can have specific permissions on different kinds of objects, some permissi

Answer 1

I have not dealt with this from an application development standpoint, but often when dealing with permissions it is a good practice to set permissions for objects using roles, rather than giving users permission directly to the object. If a user needs access to a particular set of objects, you don't give them access directly, you instead give them a role, which in turn has the needed access. This in a way "reuses" the work that was put into creating the role.

Dealing with this in code however can get complicated, since you need to iterate through each of a user's roles and determine if the role gives the user permission to the object. I don't know any specific suggestions on dealing with that other than the obvious of trying to factor that kind of code into its own framework.