Thanks @bajcmartinez !
(It’s lfnunes btw)
I think we are moving towards a RBAC + Permissions path - creating permissions and assign them to roles, then assigning roles to users, and this article together with your answer helped us to understand how to make it work.