I'm trying to understand what's been working well for others when you have a permissions system with Users and Organizations/Groups. Do people tend to treat SpiceDB as the "source of truth" for which users belong to which organization(s) or do they duplicate this data and only rely on SpiceDB for the permissions/authorization piece? For example, imagine that you have a page to manage organization users. Do people tend to ignore their own database and instead store all of this information in SpiceDB? (This becomes more complex as you consider things like metadata and audit trails, of course)