An example method is provided for a computing device to perform access control for a user account. The method may include receiving a request for the user account to access a resource, wherein the resource is accessible via the computing device, and determining a permission set required to access the resource. The method may further include performing a bidirectional search to determine whether the user account is assigned to the permission set, the bidirectional search including a first search and a second search. In response to determination that the user account is included in a nested group membership that assigns the user account to the permission set based on the bidirectional search, the method may include permitting the user account to access the resource using the permission set.