A common approach to implementing permissions/authorization is to have multiple levels. For example:

1. Guest
2. Basic
3. Power user
4. Administrator

The assumption is that the set of permissions on one level is a strict subset of the permissions on the level above. While this can be true for tiny projects early on, eventually this setup will fall apart.

For example, maybe someone from the Finance department wants to have some permissions that Administrators typically have, but not all their permissions. Perhaps they shouldn’t even have some Power User permissions.

Permission hierarchies are too constraining, especially in the long run.