We have our own user as well as program rights tables linked to the webappuser table
That way you can create exactly the rights system you like
in addition we also use our own menu classes to allow us to create dynamic menus that change for each user instead of hiding them on the client