and then issue checks for each "parent" permission