another thing that might help is that in our schema language, you can think about a permission check as being a walk from the object or resource to the subject