In my last project I had to implement permissions based on azure active directory groups (roles) in combination with data related permissions --> is a user owner of an entity, is an user a manager of the owner of an entity. For this project we implemented a custom solution to facilitate the data based permissions. A week ago I found out about Spicedb and I find the project very interesting. However I was wondering how to use it, to implement the use case of my last project. Would you use a hybrid approach: combine Azure AD groups for the groups (roles) and use Spicedb for the data related permissions. Or do you just sync all the users of the AD groups to Spicedb? Or is there another solution available that I am missing?