Dynamic / relational ACL

I have a “Projects” class. Each project has a property called teamIds, which is a list of userIds that can edit the project. I have set it up so that each project row has an ACL of public read and only the teamIds users have write access.

My problem is I have other classes that need to kind of “inherit” the ACL based on which project it’s under. So for example, I have another class called “Products”, some products are products of a particular project. For these rows, I will want an ACL the same as the parent project, which also means if the project added a new teamId, it will need to propagate through to all the associated products.

Would love to hear how people would approach this problem. The only solution in my mind at the moment is the call a cloud function trigger and update all associated products when teamId gets updated.