I modeled my application using SQL first. I wanted to have users, roles, resources, and access. My privileges table contained {role, resource, access} entries. I then put it together with CsnAuthorization, and modeled it with MySQL Workbench:
Image: SQL with data: https://gist.github.com/dennis-fedco/7084960
Referential Integrity ensures that access (such as "cook") can only be added if there is a resource that exists (such as "Kitchen" controller), and that a privilege can only be added if a user/role and resource and access exists.
What I can call from my application is any one of these:
//ACL from username:
$acl->isAllowed($username, $resource, $action); //general
$acl->isAllowed("dennis", "Kitchen", "cook"); //specific
//ACL from role:
$acl->isAllowed($role, $resoure, $action); //general
$acl->isAllowed("dennis_cook", "Kitchen", "cook");//specific
CsnAuthorization call is similar, it just calls controller directly:
$acl->isAllowed($role, $controller, $action)