Maybe a really dumb question, but wouldn't the least complex way of doing something like this be to just attach the ACLs to folders instead of files/objects?
So if you want to grant access to reports to a role, you would set the ACLs on the reports folder, not on individual reports.
Object-level permissions feels too fine-grained for me in many cases. We probably need this for actual file systems, but those are quite different from something like an enterprise application. The file system has lots of "irrelevant" files for the user that might need specific permissions, and you can't arbitrarily reorganize files without breaking stuff.
I think that sort of gets you back to DAC. The downside is that I have a file at path /foo/bar, and I want bar only accessible in one way. I move it to /baz/bar and now it's accessible in another way, even though 'bar' has not really changed.
This works for a lot of use cases. ACLs aren't zero-sum, so it's fine to layer them. As an example, Dropbox Paper has some interesting security properties.
A Document can have ACLs that are tied to the Document itself. Things like "Only let these specific people read / edit the document" or "Only users within our organization". There are also directories - your private directory isn't browsable by others, but you can have organization-wide directories.
And then finally there are document capabilities. I can share a URL to a Document and, regardless of its directory (even private) that Document can be viewed. The article calls this MAC, which I guess could be correct? I've never heard the terms conflated.
Also, existing file systems are built around DAC so it's hard to really think of exactly how you'd apply object level permissions. Apparmor, a MAC, lets you specify interesting things like 'owner'. SELinux gives you object tagging, RBAC, etc. They have their tradeoffs.
So if you want to grant access to reports to a role, you would set the ACLs on the reports folder, not on individual reports.
Object-level permissions feels too fine-grained for me in many cases. We probably need this for actual file systems, but those are quite different from something like an enterprise application. The file system has lots of "irrelevant" files for the user that might need specific permissions, and you can't arbitrarily reorganize files without breaking stuff.