Effective user management?

I am still going rounds with user management.

In this scenario, a user can have multiple usergroups, where each usergroup can have zero or more priviledges attached to it. The priviledges will be pre-defined, but the application will be able to create and modify any, or all, usergroups, so I cannot rely on Authorize attribute to determine rights. Simply testing a usergroup (role) won’t work here, because said usergroups may have been altered or deleted.

Now obviously, this doesn’t lend itself very well to the built in auth system, so I need to create my own. I’ve attempted this several times, in several different ways, and have run into the following issues.

  • Using a separate field for each pre-defined priviledge in the usergroups table.

= This works, but is ungodly in terms of designing the entity and doing certain auth tests. The amount of priviledges is nearing the hundreds.

  • Using separate Priviledge and UsergroupPriviledges tables.

= This also works, but requires more code in the auth testing, and forces the supposedly pre-defined priviledges into a volatile table (who is to say the consumer isn’t smart enough to mess with the table itself, causing problems).

Honestly, what is the best way to handle such situations? I am open to suggestions.