Hi Joey, thanks for the details, have to read thru to grasp all, especially the "caveats proposal"...in the rbac like design, you mentioned "you'd have to apply these role changes anyway" - could you elaborate pls? do u mean a user add/remove to a role in authzed?. Managing user+role relationship in authz system is what we do currently, so that part i understand - it's almost a predefined relational set. but sending metadata for each instance of resource is a lot for other apps like CMS - that's a every growing data set. And what are the recommended way to tidy up those stale relation-tuple(e.g. document-data)?