@User I'm understanding you have 3 problems (might totally be misunderstanding): 1. You're not super-sure how to access-control a list of resources Joey pretty much answered this one. At a high level, you can either pre-filter by getting the list of accessible resources (Lookup) and use it in a filter in your DB query, or post-filter by optimistically querying the DB and then removing the resources the user doesn't have access to. 2. You're concerned about the amount of resources to intersect I don't think there's anything you're missing here, really. Either you accept that you have to manipulate large sets, or you find a way to reduce the space of resources to lookup, which leads me to... 3. You'd like to lookup resources accessible by a Partner in a specific Org I had the same problem just yesterday! In my case I had users being part of multiple orgs, and I wanted to lookup resources in a single Org. There is a solution indeed What you are missing is a new definition: something like

partner_of_org

. It's basically an object representing the relationship between a single partner and a single org, its ID could be a concatenation of the partner ID and the org ID.