I don't remember exactly how we implemented permissions, but I remember that at some point (after extending sabre/dav pretty hard) we did all kinds of customer configuration (including ACL) based on virtual files. Admin would just change a virtual file with roles and we would receive it on our implementation as a method call.