I agree with Nicole, it looks like you are doing what might seem like a good optimization, but you are facing scale issues.
Many RBC systems deal with a large number of permissions, which is one of the reasons why roles exist - ordinary users only need to know what role they are in - to leave developers the ability to display the display of access rights. Large systems can provide a graphical interface for superusers to perform authority mapping and even create permissions, but only to provide maximum user flexibility.
However, because of J2EE, at the code level it all comes down to checking for "roles" programmatically. This tends to confuse things when what you really want to check out is permission to perform the operation. Just keep that semantic space.
In terms of optimization, consider not the method of assigning permissions, but when and how you perform the check. In a web application, you may only need to check when a call comes from the external interface, and perhaps network latency will overshadow any optimizations you perform here.
If you decide that you want to optimize, you will probably find simply caching permissions at the login. The actual resolution search will be stored in memory, so it will be tiny after initial loading from the database.
To avoid a combinatorial explosion of permissions, set a strong logic in front of you - write it down - and make sure that you cover all your bases. If you see the need to create new dynamic permissions, for example, when new entities are added to your system, then pay attention: this is better done in the template of an intermediary or manager who can check your business rules before handing out protected organizations. Here you go into the field of libraries, such as Drools, which serve to expose the business logic from your application so that it can be updated based on changing business requirements.