all good points. i need to familiarize myself with the acegi acl subsystem before i can comment on it, but i hope that we can reuse its default acl implementations. i also have to believe that it has out of the box group support, since this is such a common requirement.