However, seems the AuthZ check is not being evaluated correctly. For the follwing test relationship,

loan:loan1#operator@user:user1[check:{"user_location":"loc1","loan_location":"loc1","user_department":"prod1","loan_product":"prod1","user_designation":"desg1","allowed_designation":"desg1"}]
loan:loan1#operator@user:user2[check:{"user_location":"loc1","loan_location":"loc2","user_department":"prod1","loan_product":"prod1","user_designation":"desg2","allowed_designation":"desg1"}]
location:loc1#work@user:user1
location:loc1#work@user:user2
location:loc1#pos@loan:loan1
designation:desg1#hold@user:user1
designation:desg2#hold@user:user2
department:prod1#belong@user:user1
department:prod1#belong@user:user2
department:prod1#handle@loan:loan1

user2 should not have the approval authZ because location and designation caveats are not fulfilled. However, I am getting the following expected relationships generated:

loan:loan1#operator:
  - "[user:user1[...]] is <loan:loan1#operator>"
  - "[user:user2[...]] is <loan:loan1#operator>"