you could define a permission that only includes "local" access, and then check it and the overall permission: if the "local" permission is false, but the global one is true, then you know the user only has access through the global relation(s)