Is there anyway to model it where I don't need to create both a vendor_read permission on tenant and a read/vendor_read permission on vendor?