Just a quick note on how we handling dynamic permissions in our application.
This may be useful to others.
In our application, the super user can create organizations. We want users belonging to an organization to see data of that organization. A user can belong to more than one organization.
When an organization is created, we also create a special permission for it. The slug contains the id of the organization.
For example: org:
So the corresponding organization role has a permission of org:. There can be other permission for administrators of that organzation (e.g. admin_org:).
This approach allows us to manage resources on an organzation basis using roles and permissions.