Hey, Let's say I want to allow creating custom roles with custom permission on scopes (to allow access to multiple resource types and actions). So per role, I wanted to create a matching permission with the allowed scopes (resource-type-foo-create/resource-type-bar-create/etc..) and policies accordingly (role/client/user/group). So if I have: Role A Allowed: foo-create, foo-read, bar-read Role B Allowed: foo-read, bar-read Because they have conflicting scopes, foo-read always gets denied. So as I see, it can't be done this way. Maybe there should be a Decision Strategy to permissions evaluation like in a single permission with policies? Thanks, Or