I have a resource hierarchy like below: defintion user {} defintion project{ relation editor: user permission edit = editor } defintion folder{ relation parent_project : project relation editor: user permission edit = editor + parent_project->edit } 1. A project can contain 1 million folders 2. In our use case we only have 100s of folders which can be shared out of the 1 million with others 3. How can we model this concept without storing one million folders relationships between folder and parent_project and instead only store the relationships for the folders which are shareable ? 4. How do I make checkPermission return true for folders for which I have not defined a relationship with the project (because they are not shareable with others) but still accessible to the project editor ? I can only think of this application logic: -- check if relation exists between folder and project then perform the checkPermission on the folder else checkPermission on the project. I am trying to look for a more elegant solution which can do this in a single checkPermission unless you think the above logic is the best possible solution