Another typical policy I want to write, "Doctors can view medical records of any patient in their department and update any patient record that is directly assigned to them, during working hours and from an approved device" Do you think, this is ABAC? I have build something like this, https://play.authzed.com/s/HuuZmEuESuhL/schema. does it make sense or is it over complicated?