here's a question I can't quite wrap my head around sensibly. For some context, I work with recruitment software, so we have "recruitments" and "companies" in this specific case. You can either have inherited permissions (such as "I'm an HR manager for the company"), where a role on the company will grant access to all recruitments, or you can have individually granted permissions. All of this is fine and dandy and works great in a Zanzibar-style system. My question comes to the implemention of listing those recruitments (this goes beyond authz, and is about figuring out authz + business logic). If a given company has 10k recruitments, and one user has access to all (by virtue of being manager on the company, e.g

company->manager

), and another user has been granted access to 3 distinct recruitments, what's a sensible way to list the recruitments a user has access to? If I want to e.g list 25 records, I can of course retrieve 25, and check if the user can access each individual one, but for the user that has access to 3, it might be that none of the first 25 are accessible, so then I have to retrieve the next 25, for potentially 400 queries. Of course, I can also list a bunch more recruitments and narrow it down, but now I have to deal with a lot of wasted memory. Lastly, I can make my code do multiple checks: 1. Can I "list all recruitments" on the company? 2. If yes, query latest 25 and return ⬛️ 3. Query the authorization database "which recruitments do I have direct access to?" 4. Query the recruitments database, only in certain IDs ⬛️ I feel like I'm missing something in my mental model for this – any advice? I think this seems similar to the question @User answered yesterday on resource type vs specific resource, but I'd love some more clarity on it