or is the solution here to represent top-level permissions and policies with constraints? Like granting

job.view

, and then having a

Policy

with a constraint where the job ID must be 42