We are planning out the authorization schema for a growing PaaS with several SaaS offerings, and as the granularity of the permissions (with custom roles) and services go up, the definition balloons