I have hierarchical structure, 1. Aggregation has list of APIs. 2. APIs have fields. 3. 1 API can be part of multiple Aggregation 4. User’s are given access at Aggregation level but can be restricted at API and specific field of API 5. Example, Aggregation A has City API and Payment API, Aggregation B has City API and Order API. 6. User Peter has Access on all API Aggregation A and Aggregation B but restricted on Aggregation B’s City API.

Hi there, since you want to deny access on for specific users on specific users, the API and field objects will need a relation to the user. Additionally, I recommend using exclusion (-) to negate access to the API and field objects. Below is a schema and a test relationship that might give you some inspiration: Schema:

definition user {}

definition aggergation {
    relation accesser: user
    permission access_api = accesser 
}

definition api {
    relation parent_aggergation: aggergation
    relation denied_user: user
    
    permission access = parent_aggergation->access_api - denied_user
}

Test relationship:

aggergation:aggergationA#accesser@user:peter
aggergation:aggergationB#accesser@user:peter

api:city_api#parent_aggergation@aggergation:aggergationA
api:payment_api#parent_aggergation@aggergation:aggergationA

api:city_api#parent_aggergation@aggergation:aggergationB
api:order_api#parent_aggergation@aggergation:aggergationB

aggergation:aggergationA#accesser@user:peter
aggergation:aggergationB#accesser@user:peter

api:city_api#denied_user@user:peter

Thanks, I see, only challenge I can see is, Let us say if I have to get list of all allowed APIs for Peter for a given Aggregation it would lead to multiple calls.

Yes it would