Are you modeling (like your question says) or implementing?
If you're modeling the use of the web site then you definitely want to think of the different actors and work out what they want (or are allowed) to do. Do that and think about it (make sure people can login and logout as the comments above note). Then use the information you have to do the implementation.
For the implementation you almost certainly want to do it as a matrix of privileges, as it's easier to implement and expand. But you definitely want to put yourself in the shoes of each possible user up front and decide what rights they need/want before going to the matrix.