The draft currently defines a Resource Query API to lookup whether a subject can access a specific resource.
There should also be a complementary query to lookup which subjects have access a given resource.
Like "_which users (subjects) can read the document 'xyz'_?"
(whereas 'user' is a subject of type 'user' and "document 'xyz'" is a resource of type "document" and id 'xyz')
Proposed wording
## Subject Lookup Query
Perform a lookup of all subjects of a particular kind which have permissions to a certain resource. This is the complementary operation of 'Resource Lookup Query'.
Lookup subjects can be used in form of a question like "which subjects of type '_user_' have '_read_' permission on the object of 'document' and 'xyz'?"
mandatory input parameters should be
resource definition (resource type or other criteria)
permission (or relation?)
subject criteria (type definition like "user" or "devices" or whichever type a subject may have)
The draft currently defines a Resource Query API to lookup whether a subject can access a specific resource.
There should also be a complementary query to lookup which subjects have access a given resource. Like "_which users (subjects) can read the document 'xyz'_?" (whereas 'user' is a subject of type 'user' and "document 'xyz'" is a resource of type "document" and id 'xyz')
Proposed wording
mandatory input parameters should be