It sounds like an incomplete model if groups aren't themselves controllable objects. I think they are punting to host MAC for that?
Fun factoid: Even if roles aren't explicitly compiled to ACLs -- which is really an arbitrary implementation artifact, not a design requirement -- a lot of ABAC systems (and their policies) like these can be provably converted on-the-fly. This matters bc (1) it frees up implementations to be things like in-DB RLS policies (so you don't need to leave the DB for authorization decisions, as recent Google-clones and auth startups slow your app down with), and (2) you can send the policies (vs ACL 'binaries') to friendly verifiers like Z3 for fast and easy interactive analysis/querying/auditing/verification. We wrote a paper showing XACML -> BDDs for that ("Margrave") in what now feels like the stone age, and AWS more recently redid it for IAM via Z3.
IMO, getting this into postgres could be a pillar for a really awesome DBaaS/PaaS startup: imagine Django or Rails w built-in scale-to-zero multitenancy & rich collaboration, which are normally a PITA
Fun factoid: Even if roles aren't explicitly compiled to ACLs -- which is really an arbitrary implementation artifact, not a design requirement -- a lot of ABAC systems (and their policies) like these can be provably converted on-the-fly. This matters bc (1) it frees up implementations to be things like in-DB RLS policies (so you don't need to leave the DB for authorization decisions, as recent Google-clones and auth startups slow your app down with), and (2) you can send the policies (vs ACL 'binaries') to friendly verifiers like Z3 for fast and easy interactive analysis/querying/auditing/verification. We wrote a paper showing XACML -> BDDs for that ("Margrave") in what now feels like the stone age, and AWS more recently redid it for IAM via Z3.
IMO, getting this into postgres could be a pillar for a really awesome DBaaS/PaaS startup: imagine Django or Rails w built-in scale-to-zero multitenancy & rich collaboration, which are normally a PITA