so if I understand correctly: you only want a token to have permission if it is attached to a user with permission?