Since my real domain model would take too long to explain, I'll use an abstract example that shows the same problem:

Let's say I have a permission system where I want to be able to assign permissions (think Windows ACLs) to securable objects. Say I've got 5 classes, one for each type of securable object in my domain and an abstract base class called SecurableObject. Right now I have SecurableObject mapped and the 5 derived classes mapped with a <joined-subclass>. SecurableObject has a collection of PermissionEntry objects that I use in my authorization checks.

My questions are:

1) I could unmap the SecurableObject class and just have 5 'table per concrete class' mappings, but then wouldn't I have to define 5 PermissionEntry classes, one for each object type so they would map correctly?

2) Is there a better pattern for this that I'm just not seeing? I'm worried about performance here of the added inner join or should I not be too worried since the SecurableObject table is going to be extremely small (an Id and maybe a Name column)?