I think what I need is a permission domain. Basically I have a permission check, but then additionally there is a permission domain kind of thing. So when I list libraries, if there are no permissions then it will just return a blank list. There will be:
- No access.
- In same trust group. ("client").
- All access. ("crossClient").
So that enumeration helps quite a bunch.
Question is, is permissions per-task or per trust-group? I would say per trust group.