ACL (
  item_id integer,
  group_id integer,
  read_access integer,
  write_access integer,
  create_access integer,
  delete_access integer
  ...
)

-- All objects with security assignments have
-- an entry in the item table. Common attributes
-- such as owner, creation date, data retention
-- schedule, dispose-by date, etc. are stored
-- here too.

ITEM (
  id integer,
  ...
)

-- The session table is updated when a person
-- logs in. Hierarchical group memberships are
-- flattened out and inserted into the session
-- table.

SESSION (
  user_id integer,
  group_id integer
)

##</code><code>##

  select max(read_access)
    from acl, session
    where acl.group_id = session.group_id and
          acl.item_id = :ITEM and
          session.user_id = :USER