longer term, LookupWatch (or some variant thereof) is likely the "best" solution: you'd just write a linking record into your DB with what users have access to as it changes, then use that to further filter down before checking the results to avoid new-enemy (if you care)