We're thinking about adding entitlements-like functionality next to our existing H-RBAC setup that we implemented with SpiceDB. We have an "organization" resource that is pretty central, and entitlements will be available per-org, not per-user. I'm currently trying to figure out if it's more reasonable to model entitlements simply as permissions on that main "organization" resource that we have ("org->use_premium_feature") or as instances of a new "entitlement" definition, have which a relation to the organization and are then queryable via a "entitlement->use" permission on the entitlement resource. The latter feels more dynamic (you can manage the entitlements that exist at runtime) while the former seems more obvious ("entitlement" and "permission" seems like basically the same concept). Any pointers are appreciated if someone has experience with this