CAP: Authorization Dependent concept

Hi,

I'm implementing the following sample project. The requirement here is to restrict access to SalesOrder and SalesOrderItems entities to users who have authorizations for particular company codes.

model definition

using { cuid, managed } from '@sap/cds/common';
namespace salesorders;

entity SalesOrders {
    key ID: UUID @title: '{i18n>id}' @Core.Computed;
    orderNumber: Integer @title: '{i18n>orderNumber}';
    description: String @title : '{i18n>description}';
    company: String @title : '{i18n>company}';
    items: Composition of many SalesOrderItems;
}

entity SalesOrderItems: cuid {
    key ID: UUID @title: '{i18n>id}' @Core.Computed;
    order: Association to SalesOrders @title: '{i18n>order}';
    product: String @title: '{i18n>product}';
}

service definition

@requires: ['authenticated-user', 'system-user']
service SalesOrderService {
    @odata.draft.enabled
    entity SalesOrders 
     @(restrict: [
            { grant: 'READ', to: 'Viewer', where: 'company = $user.company' },
            { grant: ['READ', 'WRITE'], to: 'Sales', where: 'company = $user.company' },
            { grant: 'READ', to: 'Admin' }
        ])
    as projection on db.SalesOrders;

//  how to apply authorization check based on company?
    entity SalesOrderItems  
    as projection on db.SalesOrderItems;

}

However, on item level we do not have a field "company". Looking at parent's company code isn't possible as mentioned in the question below.

https://answers.sap.com/questions/13013423/how-to-follow-associations-in.html

In RAP, it has the concept of Authorization Dependent as described here.

An entity is defined as authorization dependent (authorization dependent by _Assoc) if the authorization control from the authorization master entity shall also be applied for the operations of this entity.

I think CAP currently doesn't have such a feature, and we have to implement check in event handlers. Is this understanding correct?