Off the top of my head I'd say the user needs to have read permission of the module(resource) you have created. If the module doesn't have that permission, then the user should be allowed to read it automatically.
Also: The user should be bound to the site the object is associated with. The user should have that permission for the site the object is associated with. If it's a global object, permission "globalread" applies if it exists. I'm not really sure how this works if you haven't specified a SiteID column in the TypeInfo of your class.
I'm not really sure about this and I might come back with a 100% answer a bit later. For the time being could you clear up some of the unknowns for me?