Best practice for setting up CRUD user permission

Is there any best practice for setting up Create - Read - Update - Delete permission for different user types?

I’m building a company resource management app. The simple version contains 2 types of user role: admin and employee , each employee will have a profile

  • Admin can have full CRUD permission to profile
  • Employee can only see their own profile

What I have done until now

  • Use Database privacy to control who can Read what
    • Current user's role is Admin
    • Current user's role is Employee AND This Profile's Employee is Current user's Employee
  • Use conditionals in elements to limit the ability to Create, Update or Delete a data thing
    • If Current User's Role is not Admin -> This element isn't clickable

Right now I only have 2 types of user so it’s easy to set the conditions, in the future I want to add more user type with more complicated permissions (e.g. a manager can update but cannot delete profiles, a HR employee can on create, read, update the profile belong to their department…), so using conditions to control the C,U,D doesn’t seem to be the best way since I have to set it in multiple elements

You could consider the idea to create Option Sets that would represent the permissions. For example an option set permission will have a display attribute of ‘Can Delete’…then you can put these option sets as a list onto the user type

Then you can create the privacy roles and conditions to use those option set lists…you can then make it so the user data type when created and a certain type is applied to it, run workflows to add the option sets accordingly.