Patterns / design suggestions for permission handling

Question

We have a rather complicated system of permission handling in our (ASP.NET web) application. Users can have specific permissions on different kinds of objects, some permissi

Answer 1

I've seen several complicated permission scheme. There was always a justification for it, but unfortunately, at a point in time, they all became too complicated to deal with and were reduced to something simpler.

My personal conclusion now is: stick to Role base access control (RBAC) this is the only reasonable one that everybody understands. It's somehow limited, but sufficient for most cases.

Also, use deny by default policy, that is, you grant rights only. Again, I've seen system with the opposite (allow by default) or even configurable default policy (!) and I don't think it reasonable.