is there a way to look up subjects for a particular resource, and also get back details on how the subject has access to a particular resource (e.g. whether it's via a relationship or inherited permission)? I have a schema where documents live under folders, and any viewer of a folder can view all of the documents in the folder. documents can individually also have viewers/editor relationships to users. If user A is a viewer of a folder, then it has permission to view a document X under said folder. If i lookup subjects for document X, I get back user A as expected. But is the response able to reveal whether user A has permission because of a relationship with document X vs. inherited permission from its folder?

Expand

so i would need to make multiple expand calls, one for each permission I want to check?

yes, but only if you want the full recursion

Ah ok, i think i see. If the "view" permission is the most "liberal" permission (i.e. anyone who has any other permission inherits view permission), then i really only need to make one expand call for view permission, and i'll see all the subjects and their relations which allow them to have that permission

unless the user has access via a nested group

like an "organization" which users can be a part of?

yes