hey! I've started trying to map out an abac-y style of authz. I'm used to a policy system that allows users to either specify an attribute or default to that attribute being open. A teammate pointed me to the open ABAC ticket and paper which was helpful too . https://play.authzed.com/s/XDTERfryivgG/expected is my current playground. I'm thinking I've made at least some mistake attempting to build out the group - I'm a bit confused by the need to build the state space of possible attributes in advance, but I suspect that is a by product of how I've structured my group definition rather than something spice imposes. Should I expect to be able to make a single request for check_permission to ask the following questions: `can app foo in us-east-1 in app test view doc`; or ‘can app bar with super account and super region view doc’ or would this just require distinct checks for each attribute?