Layered Permission / roles logic (advice needed)

Would love some input on the following.

We have multiple layers of permissions for each role (in a SaaS context).
The roles are:

• Student (end user who watches courses)
• Teacher (person uploading and managing courses)
  • Teacher assistent
• Admin (employees of our company like customer support)

Each role has different layers of permissions.
Here’s an example of what we have so far, please keep in mind that the roles might be adjusted in the future. We want fine control in what each role can access exactly, so this system needs to allow that.

Example of roles and their permissions

Student can access:

• logged in area
• free courses in said area
• paid courses if enrolled

Teacher can:

• access all that the student can access
• fully access management features of their school

Teacher ‘assistant’ (user with a bit less rights) can:

• access all that the student can access
• Partly access management features of their school

Admin can:

• Access all the student can
• Access all the teacher can
• Fully access application wide management features

Admin ‘assistant’ (bit less rights again) can:

• Access all the student can
• Access all the teacher can’
• Partly access application wide mangement features

My question

Currently I have 3 functional roles set up in the security provider:

image748×485 14.3 KB

But I don’t think this can accommodate what I want. The possible solution I see would get really messy in a few months. Please let me know if you’ve done something similar!

Possible solutions I see

1. Keep just these 3 roles in the security provider, create new library actions for each specific permission, like:

• teacher_full_access
• teacher_assistant_access
• teacher_customer_support_access
  Then in each library action set up database queries to check if that user has got access to the stuff it wants to change. I.e. if they are part of the customer_support team, then they can’t upload new videos to a course. So in the upload_video_to_course server action I will add this library action:teacher_customer_support_access.
  Then this action will query the course it’s trying to access and another table with the permission defines defined.
  This is how the permission table would be like:
• id
• User_id (ref)
• course_id (ref)
• permission_level (int)

While typing I have the feeling I’m overcomplicating things?