Basically you could have completely separate permissions systems, e.g. you could have two different definitions of

user

and they wouldn't overlap or be able to communicate at all. The alternative is that you would have a single permissions system which only has one definition for each object type, and each micro-product can read and write to their own little part of the permissions system, but other things could also do permissions checks that cross those boundaries.