you either call

LookupResources

for the user and then use that in a

WHERE id = ANY([...])

query or you query out of your database first and then call

BulkCheckPermission

on the IDs that are returned to filter by authz