Yup that is correct we are using LR for all access control decisions. I think we're going to go with the "token jar" approach and see if performance is acceptable.