in your current example, you mark

permission read = member + company->admin + member->company_admin_access

as being a hack; where do you find the issue (if any)?