usually you can handle that by defining an

environment

object type, adding that as a

relation

on each resource, and then having that be walked to provide additional permissions (or remove some)