you could in theory use user-defined roles: https://authzed.com/blog/user-defined-roles/