Yep, there's no open source way to protect admin/write/read like authzed.com has right now. We're looking to gather more requirements for open source tenancy though, since we've just been trying to scratch our own itch with what we've built privately.