Finally some performance considerations when using ACLs.

ACLs get read for each single object - for this reason the number of accesses to an ACL-secured object should be minimized as far as possible. A good idea might be, to apply ACLs only to the top level of your object hierarchy, and allow access to the child objects only through a secured parent object. ACLs will only perform well for a narrow number of objects, above this limit the application will perform very badly.

The following chart shows a comparison of access times reading a collection of objects, once with ACLs, once without. The test used up to 10000 objects, using the precondition of having sufficient access rights for each single object, to examine the worst case scenario.

The file containing all results can be downloaded here:
Data sheet (Excel)