Each object (data type instance) has multiple permissions assigned to itself. In a RBAC system, permissions consist of an action, the object the permission is for and a role (let's say roles are stored in their own table for now and all roles are stored in one table).
The simplest way to store permissions would be in a central table:
Permission := (datatype, object_id, action, role)
Where an example entry could be ('article', 12, 'edit', 2). However, this seems pretty unclean to me because I'd store the table name of the datatype to operate on in the datatype attribute.
Another way was to have a permission table for each data type. This way the information about the referenced data type would be stored in the table to chose from when checking permissions:
This would also allow for extending the permissions where you also need parameters to the action (like "add" action with the parameter "article" and "folder" for adding the article to a folder).
Now, another problem arises: There are not only global roles, but there may also be roles depending on the referenced article's properties (like an Owner role for the creating user). If I did not store these roles in the global table but in a data type specific table, the <data type>Permission tables would not be sufficient. I would need <data type>LocalPermissions and <data type>GlobalPermissions.