Techniques are described for using permission data objects to control user access to business data objects. A permission data object identifies a group affiliation associated with a user and a business object type (or family of business data objects) to which the permission object controls access. A permission object includes a permission attribute and a permission value. A user who has the group affiliation that is identified in the permission object is permitted to access a particular business data object of the business object type when the value of the permission attribute in the permission data object is consistent with the value of a corresponding attribute in the particular business data object to which the user seeks access.