So lets say, you have a group hierarchy in Active directory to govern users access genereally, like userA is author in department B. But use SpiceDB for additionel ABAC like Document C is shared with user D. This require some copy-model some of the AD-groups in SpiceDB. Then which pattern would be smart to use to keep the internal SpiceDB realation in sync as users may switch AD-groups ( for instance if user A switch department) ? do you keep an AD copy locally and whenever a change occur traverse all relevant user relations for updates, which sound quite errorprone or is there a better pattern ?