Some systems combine a mechanism like this with access control lists. For example, on VMS 4.0 and later, a file may be given an access control list that grants or denies certain access rights to certain specified users. If a file has an ACL (and most won't), the ACL is checked first:
If the ACL grants the access, the access is granted without further checking.
If the ACL denies the access, the access is denied without further checking unless the user has certain privileges.
The regular protection code is checked only if the ACL does not mention the user, or if the user was denied access but has certain privileges.