Performance best practices question when a user can have multiple user roles

Hi all,    - Let's say that I have 2 user roles, a regular user - "Participant", and a "Course Admin".  - I have an "Order" entity w/ the following access rules      - Participant: Full Read/Write when they are either the "System.Owner", OR a Registrant for an Item on the Order.      - Participant: Limited Read/No Write for any order where "OrderStatus = 'In Progress'  (they need to be able to look up other people's orders, b/c people can pay for other people and a couple other reasons -- also i have an index on order status)      - Course Admin: Full Read/Write to everything   A user who has the Course Admin user role will also have the Participant role since there's a lot of other things in the system that a participant needs to do that has nothing to do w/ a course admin.   We have a couple million orders in the database.    Now, my questions:    - do all (both participant rules and course admin rules) xpath constraints get appended when a course admin retrieves a list of orders since they also have participant roles, or does it always take the least constrictive allowable that a user has (in this case, just course admin rules)? - when a participant returns a list of their orders in a datagrid where the xpath is Registrant of item on order, does it repeat that in sql twice (once for the access rule and once for the db retrieve - we do have to specify in the db retrieve since the other participant rule is that they can see all orders to some extent)? - how inefficient is it to have that "OR" w/ "System.Owner"? (we allow people to create orders for other people) - what is the best possible way to set this up so that we don't take performance hits?    Thanks in advance!   
1 answers

When the course administrator retrieves the order list, both the participant and course administrator rules are taken into account. As for stress relief, I continue to visit this site. I like it a lot. If a user has both roles, the most permissive restrictions apply. In this way, XPath constraints are not added, but evaluated together.