how would y'all go about modeling permission to connect a resource to another resource? like if i have groups and documents and admins of groups are allowed to add documents that they own to a group. but non-admins cannot add documents, and admins cannot add documents they do not own. would it look like this?

type user {}

type group {
  relation admin: user
  relation member: user

  permission add_document = admin
}

type document {
  relation owner: user
  relation editor: user
  relation viewer: user
  relation group: group

  permission add_to_group = owner // no way to assert about the group being added to here because it is not yet related!
}

and then the operation simply requires to permission checks?