We have done this with an asp.net application using asp.net membership providers. Acess to controlled resources/services are done via roles. Based on the roles they are in, the user has a list of resources that they have access to. We then construct the Toc, tool list etc and customise the app based on what role the user is in.
We do store bookmarks and profile information stored on a per user basis.
We use Wcf services to store bookmarks and other profile information in a database.
If you are interested in a quick and dirty way to store profile information or bookmarks, i would look at wcf data services.....it uses Odata and spits out json, which can be used by your client app. However, security options are limited.
Unfortunately, none of this comes out of the box. I would be happy to share our architecture with you if you email me.