I modeled my application using SQL first. I wanted to have users, roles, resources, and access. My privileges table contained {role, resource, access} entries. I then put it together with CsnAuthorization, and modeled it with MySQL Workbench:
Image: SQL with data: https://gist.github.com/dennis-fedco/7084960
Referential Integrity ensures that access (such as "cook") can only be added if there is a resource that exists (such as "Kitchen" controller), and that a privilege can only be added if a user/role and resource and access exists.
What I can call from my application is any one of these: