normally, this is also okay: its not expected that if you remove someone they need to lose access immediately, because they previously did have access to the protected resource's contents. If the contents of the resource, however, are to be changed, then you need to send a ZedToken to ensure the access loss is accounted in the check