worst case it's: 1. create a synthetic

any_access

permission that's the

+

of all of the permissions a user could have 1.

LookupSubjects

for each doc on that

any_access

permission 1.

BulkCheck

on those users for each doc for each permission