Hi @alexab,
I think you could be successful with either implementation, as long as you are consistent. With that being said, sure there are trade-offs.
How are you planning on assigning the base permission? Programmatically in a rule (example)? If so, you will have the read permission on every user, and will have the redundant read permission on admin. But is that really a problem? Not necessarily according to the additive model of roles and permissions described here.
Are roles mutually exclusive in your implementation? Will you need to check if a user is a base user and not an admin? If so, you will want admin to have all the permissions of a base user, and not have to perform a function checking all user roles to confirm they are only base level.
Are you only checking permissions? Or are you checking roles in the token (via a custom claim outlined here). Or are you relying on permissions to be descriptive enough to manage access. If you are only using roles to assign permissions to users, and not checking if a user has a role in a token, but rather if the user has permission, then it doesn’t matter as much how the permissions are assigned, just that they are correctly assigned.
I will admit, I have not seen every implementation of roles and permissions, and there may be more granular advice depending on your scenario, but generally you can achieve what you are describing multiple ways.
Hope this helps!
Thanks,
Dan