for external API calls, its nicer to have them all be permissions, unless you're explicitly checking if a subject is part of that relation