I have two options: 1. When token inherits all user permissions by default

user:user_id#inheritor@user:access_key

2. A user creates a token with restricted permissions, for example: just read only access. But if user has no access to some resource even to read, the token should not have an access too