fair enough, authzed is already more flexible than the other solutions i've tested. There seem to be only three options then: - Change the UX around to limit actions unless focused on a specific resource. I realize what I'm asking for is the equivalent of Google having a share button on every doc in the docs list on docs dot google dot com (which they don't have). - Iterate in the application (no fun, rather would avoid for performance reasons as you said) - Query direct relationships already (while this would work, my concern is that the UI would get out of sync with the permissions schema eventually -- e.g., if the UI is assuming you can "delete" if you are an owner, but the schema says delete means owner OR x OR y... then there's a mismatch when enable/disable would reflect how the delete permission check would actually evalulate, no?