If there's no special mechanism for matching JSON on actors we could instead have code that dynamically adds or removes the actor from a group based on their JSON, matched against something in config? Then you could configure the plugin like this:
Now any time we're about to run a permission check on an actor we first confirm that they are a member or NOT a member of the admin group based on matching them against that rule.
Originally posted by @simonw in https://github.com/datasette/datasette-acl/issues/1#issuecomment-2320112976