Extend # in relation types to support permissions

[UnguidedFreedom]

Is your feature request related to a problem? Please describe.
When defining the types of a relation, there are currently two options: an entity, or an entity's relation. Not having the ability to target an entity's permissions is quite limiting.

Example scenario: recursive ReBAC and indirect uses of it. I want to model nested groups as well as documents. Access to a document can be given to either a user or a group; and giving a group access should follow the inheritance of the group.

Let's say I have the following group structure:

• group:Engineering
  • group:Hardware
    • group:Mechanical
    • group:Electronics
  • group:Software
    • group:Backend
    • group:Frontend

I want to give both user:Ben and members of group:Electronics read access to document:PCB_files. Because members of group:Electronics have access, members of group:Hardware and group:Engineering should also have access.

Describe the solution you'd like
The suggested solution would be to extend the # operator in relation type definitions to support specifying permissions in addition to relations.

The resulting schema would look something like this:

entity user {}

entity group {
    relation direct_member @user
    relation parent @group

    permission member = direct_member or parent.member
}

entity document {
    relation owner @user
    relation writer @user @group#member
    relation reader @user @group#member

    action write = owner or writer
    action read = owner or writer or reader
}

Describe alternatives you've considered
The current approach to achieve this is as follows, which is less than elegant:

entity user {}

entity group {
    relation direct_member @user
    relation parent @group

    permission member = direct_member or parent.member
}

entity document {
    relation owner @user
    relation writer @user
    relation writer_g @group
    relation reader @user
    relation reader_g @group

    action write = owner or writer or writer_g.member
    action read = owner or writer or writer_g.member or reader or reader_g.member
}

Additional context
This feature is supported by the Google Zanzibar whitepaper, as well as several Authorization alternatives such as SpiceDB or OpenFGA.