how would y'all go about modeling permission to connect a resource to another resource? like let's say i have groups and documents. admins of a group are allowed to add documents that they own to the group. but non-admins cannot add documents, and admins cannot add documents they do not own. would it look like this?

type user {}

type group {
  relation admin: user
  relation member: user

  permission add_document = admin
}

type document {
  relation owner: user
  relation editor: user
  relation viewer: user
  relation group: group

  permission add_to_group = owner // no way to assert about the group being added to here because it is not yet related!
}

and then the operation requires two permission checks to fully authorize?