overall code organization: helper, library, core, or model?

I'm sort of torn here. It certainly seems clear that a given page view or action should be intercepted by a controller if a user is not sufficiently privileged. Viewing admin dashboard, for instance, should not be accessible except by admin. On the other hand, other actions may depend on a lot of conditions that seem squarely in the Model camp: existence of records in a particular database, values from a database, etc. The rules for access to a particular action could be quite elaborate. I've heard discussion of using Interceptor Pattern in this context, but can't yet formulate a proper vision of code and data structures. In particular, creating three base controller classes:
* Public - for pages accessible to everyone
* User - for pages accessible to registered users
* Admin - for pages only accessible to Admins.
This might work fine for a simple site but what if you want to specify a-la-carte permissions like an ACL or *nix-style file permissions? Or what if you have N user levels rather than just these 3? I'd appreciate any thoughts on code structures, data structures, and code organization if anyone has any.

If you would like, you can look at my authentication library to see how I did a simple ACL and am using a post-controller-constructor for authentication rather than multiple base controller classes:  http://forum.codeigniter.com/thread-264.html  It may give you some ideas.

It does not have complex permissions though, like what you were talking about where a permission would need to be determined by multiple attributes.  Whether you would accomplish something like this in a library or a model... you could go either way.  For entity level permissions, I usually use model functions in the entity's model.