That sounds reasonable. From a database perspective you've got a many to many relationship between a Category and a User with permissions tied to this relationship.
Realize that there are some potential performance issues with this approach. Say I'm 50 levels deep trying to determine if a User has permission to do something. Presumably you want to deny permission if some parent up the chain doesn't allow the operation that the User is trying. You now need to walk up the tree examining each parent node to determine if you should grant the permission. Now have it 50,000 levels deep. That may not be your use case so this may not be a big issue.