I work with a big, bad, broad application with similar permissions requirements.

The handled it by creating an "administrative" object with permissions attributes and user attributes. These objects can work systemwide or be assigned to specific objects in the system.

So for example the "root" user would be subscribed to an administrative group with global "superuser" permissions.

A "peon" user is subscribed to an administrative group with global "user" permissions and admin permissions over their mailbox.

It's cumbersome (the app I deal with does not let a user subscribe to multiple administrative objects) but effective.