What is the best way to handle multiple permission types?

I agree with John Downey.

Personally, I sometimes use a flagged enumeration of permissions. This way you can use AND, OR, NOT and XOR bitwise operations on the enumeration's items.

"[Flags]public enum Permission{    VIEWUSERS = 1, // 2^0 // 0000 0001    EDITUSERS = 2, // 2^1 // 0000 0010    VIEWPRODUCTS = 4, // 2^2 // 0000 0100    EDITPRODUCTS = 8, // 2^3 // 0000 1000    VIEWCLIENTS = 16, // 2^4 // 0001 0000    EDITCLIENTS = 32, // 2^5 // 0010 0000    DELETECLIENTS = 64, // 2^6 // 0100 0000}"

Then, you can combine several permissions using the AND bitwise operator.

For example, if a user can view & edit users, the binary result of the operation is 0000 0011 which converted to decimal is 3.
You can then store the permission of one user into a single column of your Database (in our case it would be 3).

Inside your application, you just need another bitwise operation (OR) to verify if a user has a particular permission or not.

The way I typically go about coding permission systems is having 6 tables.

• Users - this is pretty straight forward it is your typical users table
• Groups - this would be synonymous to your departments
• Roles - this is a table with all permissions generally also including a human readable name and a description
• Users_have_Groups - this is a many-to-many table of what groups a user belongs to
• Users_have_Roles - another many-to-many table of what roles are assigned to an individual user
• Groups_have_Roles - the final many-to-many table of what roles each group has

At the beginning of a users session you would run some logic that pulls out every role they have assigned, either directory or through a group. Then you code against those roles as your security permissions.

Like I said this is what I typically do but your millage may vary.

In addition to John Downey and jdecuyper's solutions, I've also added an "Explicit Deny" bit at the end/beginning of the bitfield, so that you can perform additive permissions by group, role membership, and then subtract permissions based upon explicit deny entries, much like NTFS works, permission-wise.