it'd depend on what it means for a user to belong to an organization 🤷 your schemas above seem to treat user groups and organizations as two independent things, and it isn't clear how a user group figures into an authorization question about whether a user has a particular permission on an organization