There are a few approaches. One is to do what you're saying, an on/off flag for the feature and a separate flag for permissions.
Another approach is using a single string feature with multiple values "off", "full access", "partial access", etc.
Or you could use a JSON feature flag and encode permissions in a JSON object.