This is an example of our scheme; we took CloudIAM as a basis. Currently we have ~550 permissions. definition subject {} definition role { relation include: role relation glance_image_create_rel: subject:* permission glance_image_create = glance_image_create_rel + include->glance_image_create --- other permissions ---- } definition resource { relation parent: resource relation allow: binding relation deny: binding permission glance_image_create = allow_glance_image_create - deny_glance_image_create permission allow_glance_image_create = allow->glance_image_create + parent->allow_glance_image_create permission deny_glance_image_create = deny->glance_image_create + parent->deny_glance_image_create --- other permissions ---- } definition binding { relation subject: subject relation role: role permission glance_image_create = subject & role->glance_image_create --- other permissions ---- } Our service will act as iam in a platform in which n-extensions can be deployed. Extensions will be installed and download their permissions to us. According to our calculations, provided that the permission length limit is 62 characters, we will be able to support 3-4K permissions