Another question I've been mulling over, around custom permissions:
Right now we enable tenants to heavily customize roles and permissions. Trying to model this the Cerbos way, I believe that custom "roles" are a user-facing label around sets of attributes that we can then derive roles from in Cerbos policies, rather than trying to make Cerbos custom-role aware or updating policies. Does that sound like the right approach? If there's any exceptions or gotcha or "you might want to update policies if" type thoughts, would love to hear them!
(So much for not having questions 😄 )