We have the following scenario: We have following resources: order(which has a location attribute), bill ( which has a location attribute) We have the following contexts: location ( a location could be referenced in several administrative regions), administrative_region We have this authz model: user, role(clerk, supervisor, etc...), permission and context (location or administrative region) · A role can have several permission sets: order_read, order_write, bill_read, bill_write ( so the relationship would be a kind of role:clerk has permission:order_read) · Then, we grant a specific role to a user, in a specific location or administrative region ( so the relationship would be user:elisa member of role:clerk in location:france) Then we would need to check if: user:elisa has order_read permission on location:france user:elisa has order_read permission on administrative_region:europe We need as well to get list of locations where the user has the permission order_read In a similar question, I got this answer: definition user {} definition region { relation sales_manager: user relation sales_clerk: user relation accountant: user ... permission order_read = sales_manager + accountant } If this a good approach? I mean, if my app has hundreds or permissions and roles, having all in the same definition? And in case that multi tenancy is required, should it be hardcoded on the permission defintion (tenant1_order_read, tenant2_order_read)?