Any chance this gets easier if we impose a hard-coded limit on the total number of tags a document can have? Something like:

definition user {}

definition document {
    relation access_required_tag_1: tag
    relation access_required_tag_2: tag
    relation viewer: user

    permission view = viewer & access_required_tag_1->member & access_required_tag_2->member
}

definition tag {
    relation direct_member: user

    permission member = direct_member
}

The thing that's missing here is if

access_required_tag_2

is not defined (e.g. the document only has 1 tag instead of the maximum 2 tags) then the

view

permission fails. Is there some syntax trick for doing an

&

only if the relation is defined on a resource? Basically the equivalent of something like

permision view = viewer & ( (access_required_tag_1 is none || access_required_tag_1->member) & (access_required_tag_2 is none || access_required_tag_2->member) )