You're right about using retrieve action by association at your before commit microflow (i.e. it's not sure the object exists in the database or not). Perhaps you could use three retrieve actions from association to get 3 deep.
First, you could retrieve the Role object by the Settings-Role association from association.
Secondly, you can retrieve the Applications list by the Role-Applications association from association.
Finally, you can retrieve the Permission objects by the Application-Permission association from association.