I think the above model does not solve my problem though. Let's take a specific example. I want to achieve U1 allow access to Host1 Port30 U2 allow access to Host2 Port40 U3 allow access to any port on Host 1 or Host 2 With your model U1 will have a can_access relation to Port30, thus allowing it to access Port30 on any host. The intention is to allow a user access to a specific port on a specific host (and not just a specific port on any host) The other thing I am hoping to do is avoid adding relations between 65k TCP port objects and Host 1, Host 2, HostN to address U3.