Yes, that was fallback option, to check not only is the account (non owner, account that the owner has shared the session with) intends to perform an operation on the session which spicedb will return based on the permission, but to also do a separate check if the same account is a user of the app. I was hoping I could model that within spicedb itself to make it a singular check as we will be extending the current schema include more app related entities besides just session.