I still wonder how to build scheme for something like below: I have permissions for different microservices which defined using role resource scope: ResourceA, ResourceB, ResourceC Each resource has scopes: ResourceA => ScopeA1, ScopeA2, ScopeA3 ResourceB => ScopeB1, ScopeB2 ResourceC => ScopeC1, ScopeC2 Each user has role/group and each role has access to resource-scope pairs which defined for that microservice. For example: UserA has RoleA RoleA can Access ResourceA with ScopeA1 So I can check that permission is UserA can access to ResourceA with ScopeA1 (which is true because user has role RoleA)