I read one article on authzed blog that talked about it, but the limitations on RBAC are too rigid for my use cases, we want to allow tenants to create complex authorization policy using multiple data (environnement, graph of assets inside our infra, ...) Even tho we won't allow tenants to code the rego policies themselves, we do need a flexible way to customize those.

Caveats are the part that allow you to do policy in SpiceDB, but they are statically defined in schema. We do not support this right now, but it's technically possible: we could let you define "dynamic caveats". This could allow you to define custom policy expressions using Google's CEL, at the expense of missing all the type checking you getting by defining the caveat in the schema.