Windows Authentication using roles for CRUD restrictions

I am a student who is working on a website that has some things in common with SharePoint. I use ASP.NET MVC 3 to create an intranet site so people can be authenticated by Active Directory. I have trouble implementing these requirements:

1. Users can define roles (not AD groups) and link Active Directory users to these roles.
2. When documents or folders are uploaded, the user can give roles CRUD access to 开发者_高级运维the document or can restrict roles from it.

Please help me or give me a link to a good article:)

CREATE TABLE role
(
  role NVARCHAR(50) NOT NULL PRIMARY KEY,
  create BIT NOT NULL,
  read   BIT NOT NULL,
  update BIT NOT NULL,
  delete BIT NOT NULL
)

CREATE TABLE item
(
  id INT NOT NULL PRIMARY KEY,
  name NVARCHAR(50) NOT NULL,
  id_parent INT,
  CONSTRAINT FK_item_item FOREIGN KEY(id_parent) REFERENCES item(id)
)

CREATE TABLE user
(
  id INT NOT NULL PRIMARY KEY,
  adUserName NVARCHAR(50) NOT NULL,
  role NVARCHAR(50) NOT NULL,
  CONSTRAINT FK_user_role FOREIGN KEY(role) REFERENCES role(role)
)

CREATE TABLE user_item_rights
(
  id_user INT NOT NULL,
  id_item INT NOT NULL,
  create BIT NOT NULL,
  read   BIT NOT NULL,
  update BIT NOT NULL,
  delete BIT NOT NULL,
  CONSTRAINT PK_user_item_rights PRIMARY KEY(id_user,id_item),
  CONSTRAINT FK_user_item_rights_user FOREIGN KEY(id_user) REFERENCES user(id),
  CONSTRAINT FK_user_item_rights_item FOREIGN KEY(id_item) REFERENCES item(id)
)

This should give you a idea of how you could implements this. You could also translate it to classes. You could also implement CRUD inheritance and so, or define a role_item_right table. In my idea the user_item_rights overrides the default settings in the role.