How do we handle admin user with lots of permissions?

Hi, I am not sure what's the underlying logic of document level permission. I suppose it's something like:

  1. get the permission list of current user
  2. construct a terms filter on field _allow_permissions

This search logic is easy for:

  1. super-admin user: he could read any documents, no permisson filters at all.
  2. normal user: he could read part of documents, with several permisson filters.

But when it comes a second level admin user, things get difficult. Say we have 10,000 unique permissons, he could access 7,000 permissions among. I worry about the performance if we construnct a 7,000 length terms filter.

So is there any other delicated design underlying the document level permission logic?