In real-world enterprise web applications for enterprise businesses, we always need to limit the access to the data by the user's unit and role.
Consider that we have an enterprise company with many shopping stores in a country.
So the company has headquarter which has view access to all invoices and statistics for all branches. Each region in the country manages and plans the regional sales strategies for its own branches. Then the region's user also can see the all invoices which have been created by its branches. Each branch can create invoice, customer, and view only its data.
We can see that we have two main access control definitions:
1- Roles (which has been thought and implemeneted many years ago!): we can easily implement using RoleProvider and controlling the access control in UI level (web.config and sitemap.config)
2- Units and its relation with roles to deny/grant the user access to update/view data.
I have implemented a custom principal in ASP.NET to get the user's unit and roles, but I think there should be a classic solution...