we've had a request in our product discussions for customer service people to be able to define "custom roles" for users on a particular set of objects. my sense is that this is probably just "create a role that has access to a subset of the objects and then assign users to that role," and the concern on my team was that we might have to allow for schema writing. my sense is that that probably isn't necessary because we can reimplement RBAC in the context of ReBAC with the right entity definitions (if indeed it does end up being necessary - still hashing out the details with product). is that more or less the case, or is it more complicated than that?