If I have to build a ABAC type authorization schema, how to achieve that? I want to achieve something like, "Allow users to sales document only if user belongs to sales department? " These kind of policy are very easy to setup in OPA...