Grady Booch has a Catalog of zillions of patterns. I see one near the top about Access Control Requirements and one called Role Based Access Control. His entries are very brief, but might point you to other resources.
A design I've used many times is:
* A user "belongs to" or "has" one or more roles * A role "can access" one or more resources * A resource represents something that one user can do that another cannot.
It's easy to implement an API like isAuthorized( user, resource )
The relationship between role & resource is many-to-many. In a database and maybe in a Java model you can model this with an entity in between them. That entity can have a list of access rules, eg create, read, update, delete, execute or whatever you need to secure.
Now you need isAuthorized( user, resource, action )
Any of that sound useful?
A good question is never answered. It is not a bolt to be tightened into place but a seed to be planted and to bear more seed toward the hope of greening the landscape of the idea. John Ciardi