Very interesting! Many years ago I implemented a mandatory access control system with complex access rules. In a similar fashion, I had to precompute authorisation, as it was just too damn slow to do it all on the fly. Not as complicated as yours, but same principle.
