Org / Team / Channel rights privacy rules

I am trying to setup privacy rules for my app. I have the following data types

  • Org
  • Team
  • Channel

So an org has many channels but a use could have different rights in every team they are a part of. If I create a data type of UserTeam with user/team/rights I can no longer user it in a privacy rule because the only action allowed on the property is contains.

Another way is to create a list of Teams on the User table. This helps with the privacy rule but strips out the rights.

Is there a way to do this within one construct or do I have to have two mechanisms: one for the privacy and one for the interface?

Thank you,
Richard