If you’d said: “if I want to operate on resources using their ids”
I’d reply: There’s nothing in the spec that prevents you from doing that. If you do then your API isn’t RESTful, but REST compliance might not be important to you.
But I’m not clear exactly why you say “relationships” here.
Then I think you do need to promote your relationships to resources.
Are you building an API to manage permissions on resources outside the API, or an API to manage resources which also allows permissions for those resources to be managed through the same API?