Actually, I'm trying to implement it client-side but I'm hitting a wall: I can't do much with an

EXCLUDE(['*'], ['id1', 'id2'])

. I know which subjects do not have the permission (

id1

and

id2

), but not which ones do have the permission!