Yep, what I'm looking to achieve is for the authz layer to decide on if an action can be performed on an entity, which is why I'd like to defer that to the authz layer. Of course, I can also build the authz service on top of zed/spicedb, but not keeping it in the db means I can't log it for auditing in a consistent way.