Design Permission control for users and groups

We need an inheritance model to control user access. The way I see this working is a default deny, with groups and group inheritance.

So, we'd see datastructures a bit like this:

"User": {
    "name": "foo",
    "email": "foo@bar.com",
    "permissions": {
        "Groups": [...GroupObject...]
    }
}

"GroupObject": {
    "name": "GroupName",
    "Nodes": [...NodeObject...],
    "GroupInheritance": [...GroupObject...]
}

"NodeObject": {
    "id": 1,
    "name": "Edit Profile Self",
    "description": "Allows the user to edit their own profile",
    "action": "allow",
    "node": "user.self.editProfile"
}

Edited Oct 14, 2020 by Kyle Brennan