Access rights

What should the implementation of a flexible access control system look like?

Greetings. I have my own API, and I want to implement a fairly flexible method access control. I have different user types (administrator, moderator,...) that can be dynamically created and deleted, it is possible to edit the permission level that is available to each user type. Each user type has its own priority.
Here are some abstract examples that I want the access control system to support:
- a moderator can ban users who are below him in priority.
- the user can edit his messages, the moderator can edit both his own and other people's messages.
- the moderator can delete messages not in all conversations, but only in pre-selected by the administrator.
I looked at the role-based access control (RBAC) model, but it only gives me the ability to determine whether user type X can call method Y. But this is not enough: everyone can call the messages.edit method, but everyone with different rights - users can edit their messages, moderators - any messages. Is it possible to somehow modify RBAC to support such things?
I read about attribute-based access control (ABAC), including on Habré, but, unlike RBAC (where the entire implementation is the permissions, roles, roles_permissions, users and users_roles tables), it is not entirely clear how to implement this on practice and whether it will be convenient to use.
I would be grateful for your ideas and recommendations. I'm interested in the very concept of how this can be done ..