Modeling is like There are list of system defined permissions e.g read_document, manage_document, delete_document etc Now admin can create any role with combination of these permissions. User will be assigned one of these roles E.g role_dev : read_document role_staff: read_document, manage_document role_manager: read_document, manage_document, delete_document User will be assigned these roles. Now any user who has these roles should be able to perform operation based on what permissions are associated with that role If they have that permission in their role they should be able to perform operation on any document