@bdiddy you can use directory extension as optional claims for each of the permissions required. You can create extension "process order" and "cancel order" both of type "boolean" and assign both to user or group C and the latter to user or group D so you can get them in the token issued to each user.
Follows how to create an application, an extension and assign it to the first directory user: