Note that the way we want to use the Authorization Manager API's differs somewhat from the PAG group's “Authorization and Profile Application Block.”  In that block, the default use of the Authorization Manager API is to make a call to AccessCheck whenever a user attempts an operation.  I would prefer to assume that Authorization Manager is a data store that is either physically remote or behind a boundary of trust, and that one should therefore plan to access it only once.  When the user initiallly logs in, go to Authorization Manager to gather ALL of the operations for which the user is authorized at once, cache those in the user's profile, and when the user attempts an operation, check for authorization right at that point.