In addition to the excellent information here, I have one thing to add about my implentation which allows some future flexibility.

I have used a bit model i.e. 1, 0 type of system for can they read, write, run etc. but I added another field in the table which is plain text which can contain special permissions.

This field is read by the applications which provide some access other than the simple common stuff when a relevant type of request comes in. We have an online MOTD type deal, and the people who can post to that have the text "news" in their special access field.

The upside is that most programs only look at the read/write which are integers and can be gotten really quickly but the news authoring program looks at the text field when someone requests the article authoring screen or sends in an article. This allows a new program to have a new capcbility added in this field but only those program which need the special features ask and only when a special feature is actually requested by the user.