So the idea is that you create a candidate set of resource keys from the permission system and join that with the external database and / or use it as a post filter?
You're correct. The only thing I'd add is that post filters can also be done without a candidate set of resources by performing individual permission checks for each potential resource. This is slower, but, as I mentioned, it can actually be perform better than you'd think with some tricks.