hello, I'm trying to model the concept of reusable roles. The idea would be to create a RBAC layer on top of ReBAC the following way: 1. users can be assigned to groups 2. groups can be assigned to roles 3. roles have a set of permissions related to the type

thing

, but not to a specific object id 4. (to keep it simple) the

things

are related to groups the resolution would be that if a user belongs to a group assigned to the thing and at the same time belongs to a role with the requested permission then they are allowed. In my attempts to model this, I always end up with roles being assigned to a specific object id, making them non-reusable (i.e. multiple assigned need to be done to each object id, at which point groups become useless and users could be assigned directly to roles.