Don’t use access permissions to control what a user can and can’t do if the correct functionality of the system you’re building depends on it.
A user’s permission should dictate what a user has the right to do and see based on the policies of the resources themselves. But when it comes to the correct functionality of a system, it should be built such that if you were to disable all the permission checks, the user should be able to do whatever they can without breaking things. Relying on permissions to prevent this feels like a code smell to me, and can leave you with policies that have blanket denies for everyone that just can’t be taken out, and no one remembers why it was added there in the first place.