the specific thing that i'm trying to avoid is that currently we'd have to set up our service to learn about all instances of managed objects in our system (e.g. through kafka consumers on all of those objects) in order to answer the question of "can a user assign another user a permission on this object"