This example demonstrates an ad-hoc system for object-level-permissions. See https://gist.github.com/bogeymin/6639176 for a django-guardian example. This example uses djorm and the array field for Postgres, so it is not portable, and comes with additional package requirements. But it should be much faster with few queries than with django-guardian.

olp-models2.py

class PermissionsModel(models.Model):
    """In this approach, permissions may be filtered directly using a queryset.
    """

    objects = ExpressionManager()

    groups = ArrayField(dbtype="int", null=True)
    users = ArrayField(dbtype="int", null=True)
    

class ProjectPermissions(PermissionsModel):
    """Each object can have permissions. No use of ContentType required."""
    project = models.OneToOneField("Project", related_name="permissions")
    
    
class Project(models.Model):
    added_by = models.ForeignKey(User, related_name="added_by_projects")
    assigned_to = models.ForeignKey(User, related_name="assigned_to_projects")
    owned_by = models.ForeignKey(User, related_name="owned_by_projects")
    
    is_private = models.BooleanField()
    all_access = models.BooleanField()
    
    departments = models.ForeignKey(Department)
    restrict_access_by_default = models.BooleanField()
    
    team_members = models.ManyToManyField(User, related_name="team_projects")
    
    def _build_group_permissions(self):
        permissions = list()

        if self.all_access:
            try:
                group = Group.object.get(name="Everyone")
                permissions.append(group)
                return permissions
            except Group.DoesNotExist:
                # Would need to alert the user that the Everyone group does not exist.
                pass

        # Another option for team_members would be to create a Django Group for
        # the project and add users to that group.

        if self.departments and self.restrict_access_to_departments:
            for department in self.departments.all():
                permissions.append(department.pk)

        return permissions

    def _build_user_permissions(self):
        permissions = list()
        permissions.append(self.added_by.pk)

        if self.is_private:
            return permissions

        if self.assigned_to:
            permissions.append(self.assigned_to.pk)

        if self.assigned_to:
            permissions.append(self.assigned_to.pk)

        if self.owned_by:
            permissions.append(self.owned_by.pk)

        if self.team_members:
            for user in self.team_members.all():
                permissions.append(user.pk)

        return permissions

    def save(self, *args, **kwargs):

        super(Project, self).save(*args, **kwargs)

        # Get or create a new permissions record.
        try:
            permissions = self.permissions
        except ProjectPermissions.DoesNotExist:
            permissions = ProjectPermissions(project=self)

        permissions.users = self._build_user_permissions()
        permissions.groups = self._build_group_permissions()

        permissions.save()
    
    def save(self, *args, **kwargs):

        super(Project, self).save(*args, **kwargs)

        # Get or create a new permissions record.
        try:
            permissions = self.permissions
        except ProjectPermissions.DoesNotExist:
            permissions = ProjectPermissions(project=self)

        permissions.users = self._build_user_permissions()
        permissions.groups = self._build_group_permissions()

        permissions.save()