ah got it... thanks. follow up question, using your example here, say i have a

definition sub_resource {
  relation resource: resource
  relation writer: user
  permission edit = writer + resource->writer  // or writer + resource->edit
}

you could say either resource writers can edit sub resources, or those with permission to edit resource can also edit sub resources.... both are correct, right? is there a practical effect on the back end of using one or the other (i.e. an extra traversal walking back a computed permission vs. a relation)? or is that so small that it's negligible?