I also have another model in mind where I can get rid of a user (cut the head off the snake so to speak) in one hit. The use case is that beth has been compromised and beth's access to the entire system has to be revoked. (think revoke refresh_tokens in OAuth2) My access_token/refresh_token carry only 2 things (subject:beth, integrity_id:1234) My thought is. 1. a user_repo where all users reside (just like github) beth is a member or user_repo and also a member or integrity:1234 if you ask is beth in user_repo, it can only be yes if beth is in both. So the user_repo object is dependent on beth being in integrity:1234 if I kick beth out of integrity:1234, there is no more beth. To get beth back, I create a new object integrity:2222 and add beth to that one. I then let user_repo have a relationship with integrity:2222 beth is back. All those access_token(s) and refresh_token(s) that are still carrying and producing beth + integrity_id:1234 are useless, thus revoked in a single hit.