resource : document, permission : manage_document Subject: User Only thing is user is associated with role and role has permission . I don't want to use permission directly on user subject. Roles are collection of permissions