I am getting some requests to produce code to handle Instance Based Security for Non Application Server related code aka Business Code. The projects that are directly affected are JBoss Rules or Drools, jBPM, JBoss Portal and JBoss Seam.
The idea is to be able to CRUD level access for data driven applications.
In the past, OSAccess from Open Symphony has tried to address this space. Acegi Security for Spring has some support for Instance Based ACL.
Authorization concepts and solutions for J2EE applications is a nice technical article that talks about Role Based Access Control and Instance Based Access Control.
An ACL implementation will be simple and performant in comparison to an XACML based implementation which does have a learning curve attached.