Should permissions go with users, or with apps, or some combination? “Joe gets to see X, but only if he isn’t using app Y?”