Makes sense. What I still find hard to wrap my head around is how ZedTokens work in a hierarchical permission model. When I use a WriteRelationships call to remove Alice's direct access to a specific document, it makes sense to store the returned ZedToken with the document. But what do I do when instead I remove Alice from a group that gave her transitive access to the doc? I can't store the ZedToken with the doc because the relationship is transitive