It's complex because you have to create your own concept of roles and manage it all yourself -- you're fundamentally building another permission system within Authzed and using Authzed to delegate access to those that will then manage your permission system.