diff --git a/apps/perms/models.py b/apps/perms/models.py
index 60e150672..d90620a69 100644
--- a/apps/perms/models.py
+++ b/apps/perms/models.py
@@ -39,31 +39,39 @@ class AssetPermission(models.Model):
         return True
 
     @staticmethod
-    def set_inherit(obj):
+    def set_inherited(obj, inherited_from=None):
         setattr(obj, 'inherited', True)
+        setattr(obj, 'inherited_from', inherited_from)
+        return obj
+
+    @staticmethod
+    def set_non_inherited(obj):
+        setattr(obj, 'inherited', False)
         return obj
 
     def get_granted_users(self):
-        return list(set(self.users.all() or []) | set(self.get_granted_user_groups_member()))
+        users_granted_direct = map(self.set_non_inherited, self.users.all())
+        return list(set(users_granted_direct) | self.get_granted_user_groups_member())
 
     def get_granted_user_groups_member(self):
-        combine_users = functools.partial(combine_seq, callback=AssetPermission.set_inherit)
-        try:
-            return functools.reduce(combine_users, [user_group.users.all()
-                                                    for user_group in self.user_groups.iterator()])
-        except TypeError:
-            return []
+        users = set()
+        for user_group in self.user_groups.all():
+            for user in user_group.users.all():
+                user = self.set_inherited(user, inherited_from=user_group)
+                users.add(user)
+        return users
 
     def get_granted_assets(self):
-        return list(set(self.assets.all() or []) | set(self.get_granted_asset_groups_member()))
+        assets_granted_direct = map(self.set_non_inherited, self.assets.all())
+        return list(set(assets_granted_direct or []) | self.get_granted_asset_groups_member())
 
     def get_granted_asset_groups_member(self):
-        combine_assets = functools.partial(combine_seq, callback=AssetPermission.set_inherit)
-        try:
-            return functools.reduce(combine_assets, [asset_group.users.all()
-                                                     for asset_group in self.asset_groups.iterator()])
-        except TypeError:
-            return []
+        assets = set()
+        for asset_group in self.asset_groups.all():
+            for asset in asset_group.assets.all():
+                asset = self.set_inherited(asset, inherited_from=asset_group)
+                assets.add(asset)
+        return assets
 
     class Meta:
         db_table = 'asset_permission'
diff --git a/apps/perms/utils.py b/apps/perms/utils.py
index c84951fd7..33cc38343 100644
--- a/apps/perms/utils.py
+++ b/apps/perms/utils.py
@@ -1,2 +1,97 @@
-# ~*~ coding: utf-8 ~*~
-#
+from __future__ import absolute_import, unicode_literals
+
+from .models import AssetPermission
+from .hands import User, UserGroup, Asset, AssetGroup, SystemUser
+from common.utils import combine_seq
+
+
+def get_asset_groups_denied_by_user_group(user_group):
+    pass
+
+
+def get_asset_groups_granted_by_user_group(user_group):
+    """Return asset groups granted of the user group
+
+        :param user_group: Instance of :class: ``UserGroup``
+        :return: {asset_group1: {system_user1, }, asset_group2: {system_user1, system_user2]}
+    """
+    asset_groups = {}
+
+    if not isinstance(user_group, UserGroup):
+        return asset_groups
+
+    asset_permissions = user_group.asset_permissions.all()
+    for asset_permission in asset_permissions:
+        if not asset_permission.is_valid:
+            continue
+        for asset_group in asset_permission.asset_groups.all():
+            if asset_group in asset_groups:
+                asset_groups[asset_group].union(set(asset_permission.system_users.all()))
+            else:
+                asset_groups[asset_group] = set(asset_permission.system_users.all())
+    return asset_groups
+
+
+def get_assets_granted_by_user_group(user_group):
+    """Return assets granted of the user group
+
+        :param user_group: Instance of :class: ``UserGroup``
+        :return: {asset1: {system_user1, }, asset1: {system_user1, system_user2]}
+    """
+    assets = {}
+    if not isinstance(user_group, UserGroup):
+        return assets
+
+    asset_permissions = user_group.asset_permissions.all()
+    for asset_permission in asset_permissions:
+        for asset in asset_permission.get_granted_assets:
+            if asset in assets:
+                pass
+
+
+def get_asset_groups_granted_by_user(user):
+    """Return asset groups granted of the user
+
+    :param user: Instance of :class: ``User``
+    :return: {asset_group: {system_user1, }, asset_group2: {system_user1, system_user2]}
+    """
+    asset_groups = {}
+
+    if not isinstance(user, User):
+        return asset_groups
+
+    asset_permissions = user.asset_permissions.all()
+
+    for asset_permission in asset_permissions:
+        for asset_group in asset_permission.asset_groups.all():
+            if asset_group in asset_groups:
+                asset_groups[asset_group].union(set(asset_permission.system_users.all()))
+            else:
+                asset_groups[asset_group] = set(asset_permission.system_users.all())
+
+    return asset_groups
+
+
+def get_assets_granted_by_user(user):
+    """Return all assets granted of the user
+
+    :param user: Instance of :class: ``User``
+    :return: {asset1: {system_user1, system_user2}, asset2: {...}}
+    """
+    pass
+
+
+def get_user_groups_granted_in_asset(asset):
+    pass
+
+
+def get_users_granted_in_asset(asset):
+    pass
+
+
+def get_user_groups_granted_in_asset_group(asset):
+    pass
+
+
+def get_users_granted_in_asset_group(asset):
+    pass