Depending on what you're looking for, you can extend your model with entities and business logic to achieve an extra layer of authorization. Associate users to groups and groups to objects which the groups should be able to access. Subsequently when executing business logic, validate if the group should be able to edit the objects.
Can you explain what you exactly want to achieve?