Hey Mark.
There are two ways to look at this:
Static Policy / Dynamic Context
In the vast majority of cases it is possible to have the policies statically defined and pass in dynamic context as attributes of a principal such as what roles it has in a specific context - eg a tenant or project. The static policy definitions are checking for context set in the principal which would be driven from your apps user/profile service.
An example of this is our
SaaS workspace policy.
Dynamic Policy
For cases where you want to create brand new resources and actions on the fly, then the
Admin API can be used along with a mutable policy store in the form of one of the
database storage engines. From your apps API layer, policies can be created or updated on the fly to add in the new authorization rules.