And further, is there a reasonable way to model attribute-aware authz within spice, or should I keep an additional layer on top and combine zed policy decisions with attribute-based decisions?