How do I inject access control into a service layer of mvc application?

I'm coding a zend framework application using the the standard mvc paradigm with an added service layer to take care of application/business logic. It seems quite popular to put your access control into your services, rather than your modules/controllers/actions, however, I have only seen simple examples with static roles and permissions for those roles.

My application will be using a dynamic acl, allowing the admin user to add roles and set permissions on those roles. I have two questions:

1. How do you map permissions in user land to that of services and methods in services? I don't believe it should be a 1:1 mappi开发者_JS百科ng. If your application is sufficiently large, you will have many services with many methods, and the permission structure will quickly become confusing for an end user setting permissions for a role.
2. I have services that are global to the application and not specific to a module. How would you set permissions for those services based on the module that is accessed?

Any help would be greatly appreciated.