Examples and papers would be an extremely useful starting point. To follow up on a related matter, if we wanted all authorisation logic to happen in one place, that also means authz decisions based on data like IP address (for a hypothetical, let's say an internal system that can be used by our staff and requires access to be on-prem/VPN. How do you reason about that in authz logic? Since that requires some ephemeral data (IP being request-bound). You could of course do it through attributes, just asking the question out loud more than anything to see if there are good ideas