I think my recommendation would be to not use lookup results for guarding permissions at all, use them to show the user their options, but then when the user navigates to that one option do a check