userset rewrite! how to!

[mactavis15]

I am implementing a RBAC like system, where i have a group of employees at various heirarchy. Each group can have multiple managers and members. And each member can be manager of multiple other groups. But no where a groupmember can be member or manager of any of the groups his manager(s) are in.

class Groups implements Namespace {
	related: {
		members:  (User)[]
		managers: (User)[]
	}

	permits = {
		member:   
        }
}

here is a sample list of tuples i have:

1. Groups:sales#members@Jack
2. Groups:accounting#members@Jack
3. Groups:sales#managers@Jill

4. Groups:c#members@Jill

5. Groups:accounting#members@Jake
6. Groups:d#members@Jake

Here are some acyclic things i must ensure:

1. Jack cant be member of Groups:C.
2. Jack cant be manager of Groups:sales and obviously not Groups:C.
3. Jack can be member of some group D but not manager.

I need to ensure no loops occur before promoting an employee to manager. So before, inserting a tuple lets say (Groups:sales#manager@jack) i need to make a /check after removing tuple (1) to ensure jack does not exist among:
1. The members of the Groups:sales &&
2. He is not a member of any of the groups the (Groups:sales#members) are manager of.

I am kind of confused how to write the userset permits "member" here. Could you tell if its possible to do a userset rewrite for this scenario? if yes, how? :D

  permits = {
    member: this.related.members.includes(ctx.subject) || 
		<any groups where this.related.members are manager of && those groups permits(ctx)>         
}

Thanks for reading!