We should include users who have access from parent groups, not just direct members of the current group.