design – Security Policies scope (should they rule seamlessly over data and models)?

I’m working on a security policy system design and I’m facing an existential question.

Some of the policies have a model-level scope that could be defined like so :

UserGroup x EntityType x AccessMode -> Boolean

Meantime, I want to have finer policies that opperate at data-level, to restrain users to access only specific instances.

UserGroup x Set<EntityType> x AccessMode -> Boolean

In one case, the policy is defined over a Data Model, in one other over Data.
I’m not especially familiar with security policies, is it a bad design to make cohabit two different kind of policies ? Or is it just a misunderstanding that I have, and they work seamlessly ?