diff --git a/db/check.go b/db/check.go
index ed6cb7c6..8e17600a 100644
--- a/db/check.go
+++ b/db/check.go
@@ -60,6 +60,13 @@ func (d *document) grant(ctx context.Context, when method) (ok bool, err error)
 		return false, err
 	}
 
+	// Once we have the table we reset the
+	// context to DB level so that no other
+	// embedded permissions are checked on
+	// records within these permissions.
+
+	ctx = context.WithValue(ctx, ctxKeyKind, cnf.AuthDB)
+
 	// We then try to process the relevant
 	// permissions dependent on the query
 	// that we are currently processing. If
@@ -123,6 +130,13 @@ func (d *document) allow(ctx context.Context, when method) (ok bool, err error)
 		return false, err
 	}
 
+	// Once we have the table we reset the
+	// context to DB level so that no other
+	// embedded permissions are checked on
+	// records within these permissions.
+
+	ctx = context.WithValue(ctx, ctxKeyKind, cnf.AuthDB)
+
 	// We then try to process the relevant
 	// permissions dependent on the query
 	// that we are currently processing. If
diff --git a/db/iterator.go b/db/iterator.go
index a7b96119..4347c002 100644
--- a/db/iterator.go
+++ b/db/iterator.go
@@ -500,6 +500,13 @@ func (i *iterator) processPerms(ctx context.Context, nsv, dbv, tbv string) {
 		}
 	}
 
+	// If the table does exist we reset the
+	// context to DB level so that no other
+	// embedded permissions are checked on
+	// records within these permissions.
+
+	ctx = context.WithValue(ctx, ctxKeyKind, cnf.AuthDB)
+
 	// If the table does exist we then try
 	// to process the relevant permissions
 	// expression, but only if they don't