Hopefully quick question. I'm looking at migrating a legacy security system that is... Lets say unique. I have a security configuration that links users and resources, but final permission evaluation makes active grant decisions on when a resource is linked to one of these configurations but a user is not (don't ask, it's special). Would it be fair to say that in order to make an evaluation determination with union, intersection, or exclusion there must exist a link between user and resource -- a lack of a link between a user and resource is not computable?