QQ: Has anyone used AuthZed to satisfy Enterprise use cases that are not 1st party applications authorization? ---more info-- Trying to think "outside of the box" to solve some knotty problems I have in my large enterprise IAM department. In a video I was watching, Jake said that SpiceDB is "mostly" for user (customer) authz in one's internally developed applications (1st party apps). I am curious about those other cases that are outside of that "mostly" app authz. For access to 3rd party SaaS apps, an IDP (Okta) authenticates the user .. and forwards the user back to the SaaS with an OIDC AuthCode and IDToken and typically just the subj is used by the SaaS. ((think Gitlab, Salesforce, Jira, AWS resources). Even if I can not impact the in-SaaS' internal authentication PDP/PEP, I would like to model what 3rd party apps a user can access using relationships rather than directory group membership or a custom claim/Tag. Has anybody done anything like this where Okta reaches out to Authzed (via an Okta Workflow) to see if a user has a relationship with the SaaS application and then completes that authentication process. Even if it can be done, is there significant advantages? Or does it just add complexity Our problem is that we have way to many "roles" that mainly map to Workday Department metadata (which itself is not stable).... and we have too many groups in the directory. I am now trying to simplify that situation and wonder if it is best to not create a new role/group strategy but rather go to a graph/Rebac approach TIA