there are likely other options too, but its hard to explain without an example

here is my current schema : definition user {} definition orgunit { relation parent: orgunit relation employee: user relation reader: loan_agreement#external_org permission view = employee + parent->view + reader->view } definition member { relation orgunit: orgunit relation reader: loan_agreement#external_org permission view = orgunit->view + reader->view } definition external_org { relation parent: external_org relation employee: user permission view = employee + parent->view } definition loan_agreement { relation orgunit: orgunit relation external_org: external_org permission view = orgunit->view + external_org->view } definition loan_document { relation loan_agreement: loan_agreement permission view = loan_agreement->view } definition member_document { relation member: member permission view = member->view } definition org_unit_document { relation orgunit: orgunit permission view = orgunit->view } the current problem is employee from external_org able to see loan_document and member_document. but not for org_document.