If it's something really dynamic then Spring Security ACLs are a good way to do it. For each group, company, func, method, etc. create a granted authority in table ACL_SID.
Then for each user create an entry in ACL_SID with the is principal flag set to true.
For each domain object in the system that you want to protect, create an ACL in ACL_OBJECT_IDENTITY and grant the correct privileges by inserting rows in ACL_ENTRY.
It's possible to insert both granting and revoking entries in ACL_ENTRY, and the order matters meaning it's possible to revoke access to a group in line 0 and that will take precedence over a grant on line 1.
The ACLs can also be composed in hierarchies and can be set to inherit or not from the parent.
In general ACLs are used whenever Role based access solutions don't provide sufficient flexibility for a given use case.