Hello, I'm wondering if anyone uses spicedb to authorize access to spicedb read/check/write APIs. I've got a small service that wraps spicedb/authzed but exposes the same/similar gRPC API and I'm considering how I might authorize access to it (our authz service) from other services in our ecosystem. Other services need to write relations and check permissions and they would be using an access token with a "sub" claim that matches their identity (client id). Does it make sense to model the read/check/write etc. API permissions in spicedb so that a middleware could authorize the request? Maybe with a basic schema like this

definition authz {
  // roles
  relation reader: subject
  relation writer: subject

  // permissions
  permission check_permissions = reader + writer
  permission write_relations = writer
  permission delete_relations = writer
  permission list_relations = reader
}