Hi Joey, thanks for your reply. We come up with a little another idea and decided to introduce a boolean attribute

parent_inheritance_disabled

. Following expanded example from @natholas we have the following schema right now

definition folder {
  relation parent: folder
  relation viewer: user | team#member | user:*
  relation editor: user | team#member | user:*

  relation parent_inheritance_disabled: user | team#member | user:*

  permission read = (parent->read - parent_inheritance_disabled) + viewer + editor
  permission write = (parent->write - parent_inheritance_disabled) + editor
}

So, basically when

public_access

or

team_access

set to

null

, we don't create

parent_inheritance_disabled

relation, hence we allow inheriting parent permissions. But, for example, if we set

team_access

to some value, like

viewer

, then we "detach" parent permission by creating relations

folder:1#viewer@team:1#member
folder:1#parent_inheritance_disabled@team:1#member

We didn't come up with your initial suggestion to detach a parent which I understood as removing relation

folder:1#parent@folder:parent

. In this case we lose inheritance for all subjects, but not only for certain subjects. But the additional boolean relation and inclusion operator seems to be working fine and greatly fits our requirements where we want to granularly forbid someone to inherit parent permission. Could you please review this solution and reveal some pitfalls that we may miss out. So far we found only one downside is a higher number of relations, but maybe there are more implications? Thanks!