I think the safest thing is to store the permissions in the database (or any other centralized server). The advantage is that if the permissions change, you have only one central place to change.
If any security configuration is in the application, then after a change you would have to make sure that no user is using secretly an old version...