How might I model a scenario where a particular user in our system is allowed to access an entity, but not with the token they are calling an API with? To expand, the tokens aren't sent to our backend systems -- we have a service that acts as an intermediary and converts sessions + tokens into something that applications in the backend can understand -- a bitset of permissions and user Id, for example. We are wrapping AuthZed in an intermediary service. Does it make sense to apply these token/session specific rules at that layer? Or is the best practice to find a way to model it in our schema.