A method includes receiving a request of a user to perform an operation with respect to a first resource, in response to the request, determining, in view of a resource-based master data structure, a first resource-based permission data structure associated with the first resource, and accessing the first resource-based permission data structure to identify a first resource entry associated with the user. The method further includes upon determining that the first resource entry does not indicate that the user has a permission to perform the requested operation with respect to the first resource, determining a second resource-based permission data structure associated with a second resource that is a parent of the first resource, accessing the second resource-based permission data structure to identify a second resource entry associated with the user, and upon determining that the second resource entry indicates that the user has a permission to perform the requested operation with respect to the second resource, allowing the user to perform the requested operation with respect to the first resource.