The most reliable way is still use an ACL - access control list - strategy to manage resource permission. But for the simple apps, I just add to each of user a property named "accessScope" which gets an integer in the range of [0-9] as value, in which 0 is default - guest, 9 is supper admin.