User Roles Additivity

When designing user roles for the application I’d like to employ what I’d call additivity.

Let’s have a standard user position, who has an access to a certain set of application roles to screens in read only mode. Now let’s introduce a manager user position, who has access to the same set of screens as standard user and some extra analytics screens.

The first position can be used as a user role. In case of the second position I could just define the extra analytics screens for a user role and assign to the user both user roles. The problem comes when we decide that manager user should have some of the screens of standard user in edit mode. If I declare the screen as editable in the second application role, still the first application role declaring the screen as read only takes precedence.

I propose that if there are two application roles, one declaring the screen as read only and the second declaring it editable, the result should be editable screen.

Why not, although that would be a breaking change so we would have to parametrize this for backwards compatibility. We do not want to open previously read only screens to the existing users.

Is there some common understanding described somewhere that says that least restrictive rules should win?