you can create various role in your application and then tag the users in those roles.

So for example you have one group as AppAdmin who have unrestricted access of application and can see all modules. This role you then configure in database and give appropriate permission. Once your role created successfully then add the user/s in this role but must consider the sensitivity of permission attached with role.

Similarly you can create role specific to a perticular functionality and keep filtering it further as much secure you want your application.