The "use" of software is tied to membership of a project but the same software could be available via multiple different projects - and a users ability to use a piece of software derives from their membership of a project. The solution from @theconductor has the downside that it encodes project info into the permission check - and when requesting software we don't know which project it is being requested via - we simply want to know if the user can "use" that piece of software.