i ask because we ran into a similar issue at my previous company and the way we decided to approach it was pushing role management out into a normal CRUD service and then replicating it into SpiceDB rather than making SpiceDB the source of truth there