I'm struggeling to see how to principially solve this problem: I have a ressource that can have users of type 1 and 2, any type 1 user may read all type2 users special info if they are related to the same ressource, otherwise not. But any type 1 cannot read other special infor of type1 users. And type2 cannot read other type2 users special info regardless if they are on the same ressource. . This tell me that it should not be modelled on the user definition as its the ressource relationship that creates the permission link. It should be possible to have several ressources that could reuse the same type 1 and 2 users in some instances, and then be able to remove a single ressource with the accompanying permisisons while still respect that other ressources ay still be actice and allow for the same permission. definition ressource{ relation user_type1 : some_user telation user_type2 : some_user } defintion some_user{ permission can_read_special_info = ? } any suggestions ?