gotcha - the use case is roughly, i have definition user {...} and definition ops {...} , and i only want to grant permission on ops to modify user data when the user isn't active yet. my thought for representing this as a relation is something like below, although i don't think this would work since the is_active in on user

definition user {
  relation is_active: user:*
  relation ops_manager: ops
  permission modify_data: ops & is_active
}