login, allow <-- User can log in customers, add, allow <-- User can add customers customers, edit, allow <-- User can edit customers customers, remove, deny <-- User cannot remove customersThen any variations from the default for that user are copied to the user record:
customer, 87, edit, deny <-- The user can edit all customers EXCEPT customer 87 invoice, 125, view, deny <-- The user can view all invoices EXCEPT invoice 125Then, I could simply decrypt the data and pull all rows with 'customer' for a specified PK and