Each user has one or more services that indicate a specific area or hierarchical level.
You can restrict sections to those users who match with a set of services (using logic OR or AND, you can choose).
The master role has always full access to everywhere.
|Section||Authorization object||Services needed||Go there and check yourself|
|Service A area||WithService("serviceA")||service A or master||Service A area|
|Service A || Service B||WithService("serviceA", "serviceB")||(service A or service B) or master||Service A || Service B|
|Service A && Service B||WithServices("serviceA", "serviceB")||(service A and service B) or master||Service A && Service B|
|Settings area||WithService("master")||only master||Settings area|