Need to implement a system. Having trouble thinking how to structure a table for user permissions overrides.

Say I give a new user "JoeAnalyst" in a business role of "Analyst" , a role that has Read permissions on a company.Another Role might be "Senior Analyst", they can Create, Read, Update, and Delete on a company.

I want to grant an override to the user "JoeAnalyst" to have the ability to Update a company, but not create a whole new role. Logically, I'd have a UserClaims table (like Identity already has).

Users: Id, Name 1 Joe 2 Frank Roles: Id, Name 1 Analyst 2 Senior Analyst Claims: Id, Name 1 Company.Create 2 Company.Read 3 Company.Update 4 Company.Delete RoleClaims: Id, RoleId ClaimId 0 1 2 1 2 1 2 2 2 3 2 3 4 2 4 UserRoles Id UserId RoleId 0 1 1 

The question underlies the UserClaims table. In the event of adding an extra permission I could see a schema like:

UserClaims (option 1) Id UserId ClaimId 0 1 3 1 2 4 

But this doesn't allow revoking a role permission. So something like this is better:

UserClaims (option2) Id UserId ClaimId Override 0 1 3 'ALLOW' 1 2 4 'DENY' 

But, a plain text (or int) seems weird. So then I was thinking:

UserClaimsGrant (option3) Id UserId ClaimId 0 1 3 UserClaimsDeny Id UserId ClaimId 0 2 4 

What is a better system and does identity already do this? I've only every seen the UserClaims table like option 1 in Identity, and I can certainly extend Identity, but I figured there might be some functionality.

Thanks.