From what I understand about your question, there can be two ways to solve your problems.
The first is the use of hierarchical roles (role inheritance). Although it is more difficult to implement and manage, it can provide a level of flexibility that is very interesting.
The second way (if that might be interesting) is that I experimented with trying to "expand" RBAC for academic reasons.
I did to allow the definition of two or more "named" levels of each role. Therefore, given the role of Programmer, my implementation allows me to add levels to the role, for example:
Programmer Level Definition:
- Senior = level 500
- Intermediate = Level 200
- "Junior" = level 0
So, when someone assigns permissions to an instance of an object, such as a specification document, it can be assigned as follows:
“Some documents” → Programmer (level 300) → can edit “Some documents” → Programmer (level 0) → can read “Some documents” → Programmer (level 500) → can delete
This indicates that all programmers can read the document, but juniors and intermediaries are not allowed to edit such a document due to the lack of “level” authority. And only a senior programmer can delete a document.
This allows me to have 3 different permission levels, creating only one role. In a traditional system, I would have to create three different roles (4 with inheritance), for example:
In non-hierarchical implementation:
- Senior programmer
- Intermediate programmer
- junior programmer
In a hierarchical implementation:
- Programmer
- Senior programmer (extends the program)
- Intermediate programmer (extends the program)
- Junior programmer (extends the program)
Obviously, levels must be correctly defined as sub-roles. The definition of Analyst is invalid because these are two different roles, not a subtype.