I am designing a company intranet, have two working prototypes for the permissions structure, and am wondering which one is more efficient (or more accurately, if one or the other is just going to be too slow). Method 1: There is a basic users table with userid as the primary key. Webpages are each assigned a groupid, which is essentially the permissions group to which it belongs. For instance, each department will have its own groupid, and every subpage in that department typically has the same groupid. I also have a "perms" table with userid as the primary key, and read, write, delete, etc. as fields. Each of these fields consists of a comma separated string containing the groupids to which that user has permission. For example: IT has a groupid of 1, and HR has a groupid of 2. If I want userid 1 to have read access to both, the "read" field in the perms table has the string "1,2". When the user logs in, I explode the comma separated string for each permission type (read, write, modify, delete, etc.) into an array, and store as a session variable. When that user tries to access a webpage, I use the "in_array" function to determine if that page's groupid exists in the session variable. Method 2: I have the same users table, and the same groupids. But the permissions table has one record for each user for each groupid they have access to. For example: Userid needs read access to both IT (groupid = 1) and HR (groupid = 2), but write access only to IT. The permissions table will look like this: userid group read write ----------------------------- 1 1 1 1 1 2 1 0 Method 1 seems to emphasize using the code to do most of the work, where Method 2 seems to emphasize using the database to do most of the work. I guess my dilemma is that I do not know whether the code in method 1 is outperforming the bigger query in method 2. I imagine as the number of users/groupids increases, the table size will increase exponentially in method 2. Is method 2 preferrable at smaller table sizes and method 1 preferrable at larger sizes? When will CPU utilization become the bottleneck? I guess it is possible that both methods are equally viable given a reasonable number of records (2000 users, 50 groups) and also possible that I am approaching this at the completely wrong angle. Thoughts?