Allow the use of "Expression Policy" for use with Authentik permissions/RBAC

[Anderen2]

Is your feature request related to a problem? Please describe.
Currently the permissions in Authentik is RBAC only, with no way of defining time-based, attribute-based, or other forms of access control.

Describe the solution you'd like
To enable more advanced RBAC permission scenarios, it would be useful to be able to define these with a Python expression. One such example would be to only allow changes within working hours, or to disallow self-elevation of access.

Not sure if this is best implemented at a "global" level, where the expression must be created in a generic fashion, or if it should be scoped down per object or action type.

As a uninformed mockup example for a "global" expression:

if object_type in ["group", "role", "entitlement"] and action == add_member:
    if request.user == context.member_to_add:
        return False
        
return True

Describe alternatives you've considered
N/A

Additional context
N/A