"Well, that would be a bit more difficult, because these ad-hoc roles depend on the project. So one guy can be a Project Manager of one project (and see everything) and be a tester in another one."
So you'd just declare new object types as necessary ...
It might not be as simple as what you're doing, I've have to look more closely, but the point is that the difficulty in scaling a permissions solution doesn't lie in the permissions system itself in this case, but rather flaws in the object model...