Our schema is largely based on this blog post https://authzed.com/blog/user-defined-roles, plus previous conversations on this channel. Our resource hierarchy is defined by two-way links. I can send you the complete schema if that helps. As of the use case above, there are two places: one to resolve information for an access management dashboard. it's basically a list of "this user can do {x,y,z} on {resource}", and the other is to resolve data to a front-end application that needs all permissions between the current user and a resource sent eagerly to it, to properly paint elements on the screen