I don't understand why the 64 bit limit is a problem. The bits are used to identify operations. The user id should be stored in another field.

There is no possible way your users will think about the security of 64 different operations. Maybe I'm missing something though. Could you list some of the "real" permissions instead of just the read/write/execute example?

I designed a security module that stores object permissions in an ACL table. Each different operation is given a column in the ACL table. If the value of the column is even, permission is denied; if the value is odd, permission is granted.

The data model looks like this:

ACL (
  item_id integer,
  group_id integer,
  read_access integer,
  write_access integer,
  create_access integer,
  delete_access integer
  ...
)

-- All objects with security assignments have
-- an entry in the item table. Common attributes
-- such as owner, creation date, data retention
-- schedule, dispose-by date, etc. are stored
-- here too.

ITEM (
  id integer,
  ...
)

-- The session table is updated when a person
-- logs in. Hierarchical group memberships are
-- flattened out and inserted into the session
-- table.

SESSION (
  user_id integer,
  group_id integer
)
[download]

Each different object class can implement its own has_user_access method. The base class method does a simple ACL test using this query:

  select max(read_access)
    from acl, session
    where acl.group_id = session.group_id and
          acl.item_id = :ITEM and
          session.user_id = :USER
[download]

The results of these security tests are cached only for the immediate operation (Apache request object). I use a bit-field, but since it is just a cache, the implementation can change without affecting any other code. After the operation is complete, the cache is thrown away so that security information can not leak between user sessions. (It is not as horrible as it sounds -- the database keeps its own cache so these checks rarely hit the disk.)