Hi @kriseva,
Given that RBAC is specifically designed for this type of use cases, you can firstly define roles, then add permissions to them - Manage Role-Based Access Control Roles.
The Maximum Request Size for the ‘/oauth/token’ Endpoint is 500kb, which is mostly sufficient in any scenario, while you can also check the Number of Roles/Permissions per User here.
Best regards,
Remus