it sounds like policy-based authz would work fine for you