I want to set up a flexible security(permission) management system which can be suitalbe to any CRM or ERP's requirement. First, a warning. Attempting to design
any sort of general-purpose solution is almost guaranteed to prduce a poor result if you don't already have experience of designing at least one (and ideally more than one) specific solution first. Please, please consider producing a solid, simple, specific, security subsystem for some real project first.
If you really need to make some sort of general solution, you need to do a lot of research, and even then you'll likely produce an unwieldy, bloated and fragile solution simply because you don't have enough experience of the domain to weigh up the thousands of tiny choices you will have to make during design and coding.
Start by looking at some theory, for example:
http://www.cap-lore.com/CapTheory/ ,
http://www.opengroup.org/security/gsp.htm . These are sites I found in just a few minutes of googling, you'll need to find more.
You should really look up some academic papers, too.
Then look at some implementations. You'll probably need to browse some CVS repositories if you want to study open source software, so get comfortable with that first. Be critical, consider the strengths and weaknesses of the choices the other developers made, decide whether you agree, justify your decision, keep notes.
Finally, you can start designing and coding. But make sure that you build a
test and measurement framework as you go, so when you have to make a choice about how to do something, you can be as informed as possible. Do experiments - try things and measure the results, run load tests and concurrency tests, throw things away if they are not right.
But please, if at all possible, practice on a simpler, more constrained solution domain first; learn what works and what doesn't; get a "feel" for what's important.
Good luck.