As it stands, yes, you are right. It would require trying to load the document for each recipient user and checking the result. That seems mostly a performance concern though, although there may be others such as creating a valid auth context for each recipient. But would you not be able to expose the 'can user x view post y in the service API if this was really needed? You are essentially doing this anyway with your common auth service. Maybe it would be an organisational bottleneck if you implement this differently per service? But I'm not sure reading permissions without data is common/general enough of a problem in most businesses to justify a general system for it.