I'm unsure of how to map this in SpiceDB => as the permissions sets are custom, they can be created by the end users and thus will have to be dealt as a "dynamic" thing. Is it possible to encode such behavior into a static schema and putting all the "dynamic" part of the problem into relationships? Or should the schema be generated dynamically when new permission sets are added in the system? As out app is multi tenant and permissions sets will be "per tenant", what is the proper approach with SpiceDB schema? Should we have 1 schema per tenant? Or a global schema definition with "per tenant" permissions declarations?