As the title states. I'm curious how others have handled object level permissions in a system that consists of many services.

Particularly when the individual object permissions can be in the thousands.

Example:

Service A contains thousands of objects for which a user can have access to any number of. While Service B has meta data that relates to objects in Service A. If the user makes a direct request to Service B for a set of objects, how does Service B check if the user has permission to access metadata for the requested objects from Service A.