Instead of using policies for permissions, I created my custom config file and a middleware to allow users to access certain routes. It is quite simple and everything is in one place!