when you write a new schema that changes the permission computation, you don't have to do anything, and if

user:456

was previously getting their access by being a

team->member

those checks will start to deny