I’m not sure if I understood everything correctly, what you need in the end, but you can implement it as follows:
If you want to bother and write your own authorization, then how to do it from scratch is well described here:
If you are too lazy, then you can use the devise gem ( https://github.com/plataformatec/devise) and, when creating a model, add an additional "role" field to it.
Accordingly, further create the model "Right".
Create a has_and_belongs_to_many relation
For example, your project opens immediately in the edit template

=form_for @project do |f|
какой-то код
  =f.collection_select(:permission_ids, Permission.all, :id, :permission_title, {include_blank: false, :include_hidden => false, :selected => @project.permissions.map(&:id)}, { class: 'тут какой-то css', :multiple => true})

If you need to restrict access rights only for this project, then add the project_id field to the UserPermission model
and in the form code

=form_for @project do |f|
какой-то код
  =f.collection_select(:permission_ids, Permission.all, :id, :permission_title, {include_blank: false, :include_hidden => false, :selected => @project.permissions.map(&:id)}, { class: 'тут какой-то css', :multiple => true})
  =f.fields_for :user_permission do |s|
    =s.hidden_field :project_id, value: @project.id

The code was written out of my head, plus I'm not entirely sure that I fully understood the problem, so please do not lynch if not 100% everything is right.

Apparently we are talking about a bunch of gems Devise (authorization) and CanCanCan (privilege management)