diff --git a/guacamole-ext/src/main/java/org/glyptodon/guacamole/net/auth/User.java b/guacamole-ext/src/main/java/org/glyptodon/guacamole/net/auth/User.java
index 8409844c1..2cd5fea75 100644
--- a/guacamole-ext/src/main/java/org/glyptodon/guacamole/net/auth/User.java
+++ b/guacamole-ext/src/main/java/org/glyptodon/guacamole/net/auth/User.java
@@ -22,9 +22,9 @@
 
 package org.glyptodon.guacamole.net.auth;
 
-import java.util.Set;
 import org.glyptodon.guacamole.GuacamoleException;
-import org.glyptodon.guacamole.net.auth.permission.Permission;
+import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet;
+import org.glyptodon.guacamole.net.auth.permission.SystemPermissionSet;
 
 
 /**
@@ -77,40 +77,39 @@ public interface User {
      *                             permissions, or if reading all permissions
      *                             is not allowed.
      */
-    Set<Permission> getPermissions() throws GuacamoleException;
+    SystemPermissionSet getSystemPermissions() throws GuacamoleException;
 
     /**
-     * Tests whether this user has the specified permission.
+     * Lists all permissions given to this user.
      *
-     * @param permission The permission to check.
-     * @return true if the permission is granted to this user, false otherwise.
+     * @return A Set of all permissions granted to this user.
      *
-     * @throws GuacamoleException If an error occurs while checking permissions,
-     *                            or if permissions cannot be checked due to
-     *                            lack of permissions to do so.
+     * @throws GuacamoleException  If an error occurs while retrieving
+     *                             permissions, or if reading all permissions
+     *                             is not allowed.
      */
-    boolean hasPermission(Permission permission) throws GuacamoleException;
+    ObjectPermissionSet<String, Connection> getConnectionPermissions() throws GuacamoleException;
 
     /**
-     * Adds the specified permission to this user.
+     * Lists all permissions given to this user.
      *
-     * @param permission The permission to add.
+     * @return A Set of all permissions granted to this user.
      *
-     * @throws GuacamoleException If an error occurs while adding the
-     *                            permission. or if permission to add
-     *                            permissions is denied.
+     * @throws GuacamoleException  If an error occurs while retrieving
+     *                             permissions, or if reading all permissions
+     *                             is not allowed.
      */
-    void addPermission(Permission permission) throws GuacamoleException;
+    ObjectPermissionSet<String, ConnectionGroup> getConnectionGroupPermissions() throws GuacamoleException;
 
     /**
-     * Removes the specified permission from this specified user.
+     * Lists all permissions given to this user.
      *
-     * @param permission The permission to remove.
+     * @return A Set of all permissions granted to this user.
      *
-     * @throws GuacamoleException If an error occurs while removing the
-     *                            permission. or if permission to remove
-     *                            permissions is denied.
+     * @throws GuacamoleException  If an error occurs while retrieving
+     *                             permissions, or if reading all permissions
+     *                             is not allowed.
      */
-    void removePermission(Permission permission) throws GuacamoleException;
+    ObjectPermissionSet<String, User> getUserPermissions() throws GuacamoleException;
 
 }
diff --git a/guacamole-ext/src/main/java/org/glyptodon/guacamole/net/auth/permission/ObjectPermissionSet.java b/guacamole-ext/src/main/java/org/glyptodon/guacamole/net/auth/permission/ObjectPermissionSet.java
new file mode 100644
index 000000000..306417aac
--- /dev/null
+++ b/guacamole-ext/src/main/java/org/glyptodon/guacamole/net/auth/permission/ObjectPermissionSet.java
@@ -0,0 +1,128 @@
+/*
+ * Copyright (C) 2015 Glyptodon LLC
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package org.glyptodon.guacamole.net.auth.permission;
+
+import java.util.Collection;
+import org.glyptodon.guacamole.GuacamoleException;
+
+
+/**
+ * A set of permissions which affect arbitrary objects, where each object has
+ * an associated unique identifier.
+ *
+ * @author Michael Jumper
+ * @param <IdentifierType>
+ *     The type of identifier used to identify objects affected by permissions
+ *     stored in this ObjectPermissionSet.
+ *
+ * @param <ObjectType>
+ *     The type of objects affected by permissions stored in this
+ *     ObjectPermissionSet.
+ */
+public interface ObjectPermissionSet<IdentifierType, ObjectType> {
+
+    /**
+     * Tests whether the permission of the given type is granted for the
+     * object having the given identifier.
+     *
+     * @param permission
+     *     The permission to check.
+     *
+     * @param identifier
+     *     The identifier of the object affected by the permission being
+     *     checked.
+     *
+     * @return
+     *     true if the permission is granted, false otherwise.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while checking permissions, or if permissions
+     *     cannot be checked due to lack of permissions to do so.
+     */
+    boolean hasPermission(ObjectPermission.Type permission,
+            IdentifierType identifier) throws GuacamoleException;
+
+    /**
+     * Adds the specified permission for the object having the given
+     * identifier.
+     *
+     * @param permission
+     *     The permission to add.
+     *
+     * @param identifier
+     *     The identifier of the object affected by the permission being
+     *     added.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while adding the permission, or if permission to
+     *     add permissions is denied.
+     */
+    void addPermission(ObjectPermission.Type permission,
+            IdentifierType identifier) throws GuacamoleException;
+
+    /**
+     * Removes the specified permission for the object having the given
+     * identifier.
+     *
+     * @param permission
+     *     The permission to remove.
+     *
+     * @param identifier
+     *     The identifier of the object affected by the permission being
+     *     added.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while removing the permission, or if permission
+     *     to remove permissions is denied.
+     */
+    void removePermission(ObjectPermission.Type permission,
+            IdentifierType identifier) throws GuacamoleException;
+
+    /**
+     * Tests whether this user has the specified permissions for the objects
+     * having the given identifiers. The identifier of an object is returned
+     * in a new collection if at least one of the specified permissions is
+     * granted for that object.
+     *
+     * @param permissions
+     *     The permissions to check. An identifier will be included in the
+     *     resulting collection if at least one of these permissions is granted
+     *     for the associated object
+     *
+     * @param identifiers
+     *     The identifiers of the objects affected by the permissions being
+     *     checked.
+     *
+     * @return
+     *     A collection containing the subset of identifiers for which at least
+     *     one of the specified permissions is granted.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while checking permissions, or if permissions
+     *     cannot be checked due to lack of permissions to do so.
+     */
+    Collection<IdentifierType> getAccessibleObjects(
+            Collection<ObjectPermission.Type> permissions,
+            Collection<IdentifierType> identifiers) throws GuacamoleException;
+
+}
diff --git a/guacamole-ext/src/main/java/org/glyptodon/guacamole/net/auth/permission/SystemPermissionSet.java b/guacamole-ext/src/main/java/org/glyptodon/guacamole/net/auth/permission/SystemPermissionSet.java
new file mode 100644
index 000000000..e106cbc08
--- /dev/null
+++ b/guacamole-ext/src/main/java/org/glyptodon/guacamole/net/auth/permission/SystemPermissionSet.java
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2015 Glyptodon LLC
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package org.glyptodon.guacamole.net.auth.permission;
+
+import org.glyptodon.guacamole.GuacamoleException;
+
+
+/**
+ * A set of permissions which affects the system as a whole.
+ *
+ * @author Michael Jumper
+ */
+public interface SystemPermissionSet {
+
+    /**
+     * Tests whether the permission of the given type is granted.
+     *
+     * @param permission
+     *     The permission to check.
+     *
+     * @return
+     *     true if the permission is granted, false otherwise.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while checking permissions, or if permissions
+     *     cannot be checked due to lack of permissions to do so.
+     */
+    boolean hasPermission(SystemPermission.Type permission)
+            throws GuacamoleException;
+
+    /**
+     * Adds the specified permission.
+     *
+     * @param permission
+     *     The permission to add.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while adding the permission, or if permission to
+     *     add permissions is denied.
+     */
+    void addPermission(SystemPermission.Type permission)
+            throws GuacamoleException;
+
+    /**
+     * Removes the specified permission.
+     *
+     * @param permission
+     *     The permission to remove.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while removing the permission, or if permission
+     *     to remove permissions is denied.
+     */
+    void removePermission(SystemPermission.Type permission)
+            throws GuacamoleException;
+
+}