and you'd load the permissions necessary at API call time