The fundamental concern in this situation is creating a structure that is easy to understand and easy to maintain. While the first thought might be to create bag policies that list lots of users, this is not ideal. Adding a username in potentially many policies is cumbersome, prone to error and the policy files may become large enough that they are expensive to process.
A better solution is to use roles. Role names are put in policy statements. When users are created, they are given the required roles. In the future when a user's level of access changes, they simply need to have their roles changed or their account deleted: there's no need to go digging around in policies.