[Practicality]

I had a hybrid system at one point that included this "access level" in addition to the roles system. So a person could have multiple roles, but only one access level. The access level was only for admin things like this, so most people were just "users."

It works fine, but you need to document what is going on, or at least put some good comments in. You are definitely going to confuse future developers (including yourself) as to why you sometimes check one set of constraints and sometimes another.

I got rid of this once the system got more heavily used though, as it's just too much overhead to keep track of two systems. So if you really do plan on staying small it's fine, but if you think this might grow, just stick to roles.