and if you're still checking access on the resource, you'd make the permission walk from the resource to the organization and then through the role binding