Hi Hilkan,
what do you think about historical assignements for permissions ans roles, to recap the assigned rights/roles to any timestamp?
AbpUserRole
Id UserId RoleId ValidFrom ValidTo (Nullable => To check if it is valid)
And the same for:
User->Permission Role->Permission
Greetings
lemestrez