Hi, if I want to dynamically authorize a user lets say depending on whether the user is from the same department or not, can I use caveats to authorize them without having a relation to the resource?