one way that i've seen to approach this problem is to put a generic

resource

definition under the resources in question, with the same permissions as you'd find on the resources, but a single relation pointing to the specific resource. when you need to find all of the resources that a user has a particular permission on, you call

LookupResources

on that generic definition rather than the specific definition.