diff --git a/src/auth/models.cpp b/src/auth/models.cpp
index 9780f84e6..85da82df8 100644
--- a/src/auth/models.cpp
+++ b/src/auth/models.cpp
@@ -185,18 +185,67 @@ bool operator==(const Permissions &first, const Permissions &second) {
 
 bool operator!=(const Permissions &first, const Permissions &second) { return !(first == second); }
 
-LabelPermissions::LabelPermissions(const std::unordered_map<std::string, int> &permissions)
-    : permissions_(permissions) {}
+LabelPermissions::LabelPermissions(const std::unordered_set<std::string> &grants,
+                                   const std::unordered_set<std::string> &denies)
+    : grants_(grants), denies_(denies) {}
 
-void LabelPermissions::Grant(const std::string &label) { permissions_[label] = 1; }
+PermissionLevel LabelPermissions::Has(const std::string &permission) const {
+  if (denies_.find(permission) != denies_.end()) {
+    return PermissionLevel::DENY;
+  }
 
-void LabelPermissions::Deny(const std::string &label) { permissions_[label] = 0; }
+  if (grants_.find(permission) != denies_.end()) {
+    return PermissionLevel::GRANT;
+  }
 
-void LabelPermissions::Revoke(const std::string &label) { permissions_.erase(label); }
+  return PermissionLevel::NEUTRAL;
+}
+
+void LabelPermissions::Grant(const std::string &permission) {
+  auto deniedPermissionIter = denies_.find(permission);
+
+  if (deniedPermissionIter != denies_.end()) {
+    denies_.erase(deniedPermissionIter);
+  }
+
+  if (grants_.find(permission) == grants_.end()) {
+    grants_.insert(permission);
+  }
+}
+
+void LabelPermissions::Revoke(const std::string &permission) {
+  auto deniedPermissionIter = denies_.find(permission);
+  auto grantedPermissionIter = grants_.find(permission);
+
+  if (deniedPermissionIter != denies_.end()) {
+    denies_.erase(deniedPermissionIter);
+  }
+
+  if (grantedPermissionIter != grants_.end()) {
+    grants_.erase(grantedPermissionIter);
+  }
+}
+
+void LabelPermissions::Deny(const std::string &permission) {
+  auto grantedPermissionIter = grants_.find(permission);
+
+  if (grantedPermissionIter != grants_.end()) {
+    grants_.erase(grantedPermissionIter);
+  }
+
+  if (denies_.find(permission) == denies_.end()) {
+    denies_.insert(permission);
+  }
+}
+
+std::unordered_set<std::string> LabelPermissions::GetGrants() const { return grants_; }
+
+std::unordered_set<std::string> LabelPermissions::GetDenies() const { return denies_; }
 
 nlohmann::json LabelPermissions::Serialize() const {
   nlohmann::json data = nlohmann::json::object();
-  data["labelPermissions"] = permissions_;
+  data["grants"] = grants_;
+  data["denies"] = denies_;
   return data;
 }
 
@@ -205,9 +254,18 @@ LabelPermissions LabelPermissions::Deserialize(const nlohmann::json &data) {
     throw AuthException("Couldn't load permissions data!");
   }
 
-  return {data["labelPermissions"]};
+  return {LabelPermissions(data["grants"], data["denies"])};
 }
 
+std::unordered_set<std::string> LabelPermissions::grants() const { return grants_; }
+std::unordered_set<std::string> LabelPermissions::denies() const { return denies_; }
+
+bool operator==(const LabelPermissions &first, const LabelPermissions &second) {
+  return first.grants() == second.grants() && first.denies() == second.denies();
+}
+
+bool operator!=(const LabelPermissions &first, const LabelPermissions &second) { return !(first == second); }
+
 Role::Role(const std::string &rolename) : rolename_(utils::ToLowerCase(rolename)) {}
 
 Role::Role(const std::string &rolename, const Permissions &permissions)
diff --git a/src/auth/models.hpp b/src/auth/models.hpp
index 1003086c9..91e4e2174 100644
--- a/src/auth/models.hpp
+++ b/src/auth/models.hpp
@@ -12,6 +12,7 @@
 #include <string>
 
 #include <json/json.hpp>
+#include <unordered_set>
 
 namespace memgraph::auth {
 // These permissions must have values that are applicable for usage in a
@@ -91,29 +92,36 @@ bool operator!=(const Permissions &first, const Permissions &second);
 
 class LabelPermissions final {
  public:
-  LabelPermissions(const std::unordered_map<std::string, int> &permissions_ = {});
+  LabelPermissions(const std::unordered_set<std::string> &grants = {},
+                   const std::unordered_set<std::string> &denies = {});
 
-  PermissionLevel Has(const std::string &label) const;
+  PermissionLevel Has(const std::string &permission) const;
 
-  void Grant(const std::string &label);
+  void Grant(const std::string &permission);
 
-  void Revoke(const std::string &label);
+  void Revoke(const std::string &permission);
 
-  void Deny(const std::string &label);
+  void Deny(const std::string &permission);
+
+  std::unordered_set<std::string> GetGrants() const;
+  std::unordered_set<std::string> GetDenies() const;
 
   nlohmann::json Serialize() const;
 
   /// @throw AuthException if unable to deserialize.
   static LabelPermissions Deserialize(const nlohmann::json &data);
 
-  std::unordered_map<std::string, int> permissions() const;
+  std::unordered_set<std::string> grants() const;
+  std::unordered_set<std::string> denies() const;
 
  private:
-  std::unordered_map<std::string, int> permissions_;
+  std::unordered_set<std::string> grants_{};
+  std::unordered_set<std::string> denies_{};
 };
 
 bool operator==(const LabelPermissions &first, const LabelPermissions &second);
 
+bool operator!=(const LabelPermissions &first, const LabelPermissions &second);
 class Role final {
  public:
   Role(const std::string &rolename);
@@ -192,5 +200,3 @@ class User final {
 bool operator==(const User &first, const User &second);
 
 }  // namespace memgraph::auth
-
-// namespace memgraph::auth