Yes, I suspected two checks are required. In my original message I had this other idea shown below.

Another idea would be express the port as a permission and have host as the resource. This would require us to modify the schema to express each network port as a permission and schema would need to be updated as we enable more ports. But to support the super user use case we would need to add every single network port as a permission in the schema. Would it be useful to support a 'default' permission in a relation, which is used when the permission in the check request does not match anything defined in the schema? The default permission could check to see if the user has an 'any' relation to the host.

In the above idea we model access to a specific port as a permission. Would it be a concern if we were to add all possible network ports as unique permissions on the host object? The second part of the proposal tries to avoid adding all ports as permissions and proposes the idea of a default permission to handle the super user case. Let me know your thoughts. Completely okay to laugh it off 🙂