SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

It looks like it would work for this example 👍 
I am finding that it's not very descriptive of our actual domain though, I'd like to be able to write `user:123 is admin of org:foo` and `flag:new_admin_dashboard is enabled in org:foo` and walk through these relations to decide permissions.
Here I'd have to write `the admins of org:foo have feature_flag_new_admin_dashboard in org:foo` which doesn't make a lot of sense (`feature_flag_new_admin_dashboard` shouldn't really be a relationship) and encodes part of the permission logic within the relationship (the user needs to be an admin of the organisation), which makes it harder to evolve in the future.