at that point they might as well just make pull requests against your schema, which is how it'd work if you weren't defining the permissions as data