It basically comes down to indexing. Can you index the access control entries in the access control list for efficient querying?
If your table looks like this:
create table task (
id int primary key,
subject varchar(255) not null,
owner varchar(255) not null references some_user_table(name), --owner can has full permission on own record
acl varchar(max) null
);
And an ACL could look like this:
[ {grantee:"public", read:true, write:false, grantor:"reverend"} ]
How do you index such values? In Posgres, you can index JSON entire fields or individual JSON array entries, but not all array entries. I'm not too familiar with XML indexing in SQL Server, but it exists.
If your schema looks like this:
create table task (
task_id int primary key,
subject varchar(255) not null,
owner varchar(255) not null --references some user table
);
create table task_acl (
task_id int references task(task_id) on delete cascade,
grantee varchar(255) not null, --the role getting the privilege
privilege char(1) not null check (privilege in ('r', 'w', 't') ), --r=read, w=write, t=take ownership
admin_option boolean not null default false, --whether grantee can grant privileges to others for this task
grantor varchar(255) not null default current_user, --the role granting the privilege
primary key (id, grantee, privilege)
);
Then at least you can index the grantee and privilege fields.
You would query this with a WHERE EXISTS
clause to see if current user is in the ACL.