One of the challenges in authz systems is understanding what attributes are required in order to allow someone to be granted access to- especially when they are denied access. I am new to spicedb so can you please help me understand how this problem is addressed?