Entity Ownership?

I have the following scenario:

User belongs to one Group.

Group has a lot of boolean permissions.

Mask maintains a group to forum association.
Mask overrides some of the group permissions.

User has test methods like the following:

publicvirtualbool CanAddOwnThreads(Forum forum)

Check.Require(forum != null, “Forum must be provided!”[FONT=Consolas][SIZE=2]);

bool allow = Group.CanAddOwnThreads;

foreach (Mask mask in forum.Masks)
if (mask.Group == Group)
allow = mask.CanAddOwnThreads;

foreach (Moderator moderator in forum.Moderators)
if (moderator.User == this)
allow = moderator.CanAddOwnThreads;

return[FONT=Consolas][SIZE=2] allow;

Now here’s the thing. I cannot easily determine which entity this list should be maintained.

Mask m = new Mask(forum, group);

// option one

// option two

Either way, when a forum is deleted, it’s masks should also be deleted. The same goes for when a group is deleted.

Is there a better way to tell which entity I should maintain this in? Or should I include it in both.

There’s just no clear cut ownership here.