Help at modeling a user/role combined with resource/role model/policy/requests

I’m trying to understand how to model our scenario considering:

• Users have roles
• Roles have permissions
• Users lands in groups
• Resources lands in groups
• Groups can be inherited

In our use case

• Users are humans in client apps
• Roles are a group of permissions
• Groups hierarchically speaking are superadmin (us), tenants or sub-entities of the tenant.
• Resources are IoT devices or more “classical” services (let’s say API endpoints with CRUD permissions)
• Users and devices will both be assigned to groups to identify what user is allowed to perform and action on what device.

So, we want to be matching

1. Does the user’s role contain the permission to access the resource
2. Does the user belong to the same group of the resource

For instance: Request to get the status of an IoT device could be:

User1, device1234, get_status

• Is User1 in a group (role) which contains operation get_status?
• Is User1 in a group which is either the same, or one of the parent group of device1234

If both conditions succeed, matcher should return True.

Hopefully I’m clear in the description of the question. I have to admit I’m having a hard time to figure out how to perform this using a single model.
I made a ton of try outs but I was not able to find a way to match both conditions in the same model.

Any help would be greatly appreciated!