Any thoughts on how one might model a reduced set of privileges? For example, under normal circumstances, a client might present my service with a bearer identity token. My service would then ask spicedb if the subject identified in the validated identity token has permission to perform the current operation. I'm imagining wanting to give a client a token with some sort of privilege mask. Maybe that means a reduced set of group memberships or only read-only operations. One way to do this would be to create a new identity and only add that identity to a subset of groups, but maintaining a separate identity in lock step with a client's primary identity seems difficult.