Route Authorization in CLJ

Building a Swagger app with fairly complex capability system, what is the most elegant way of expressing, e.g., ‘GET on “/users” is allowed by yellow-admins’? We are using reitit but would love any examples or use-cases that implement this in a way that feels it avoids duplication. Will anyone share what their authorization mechism looks like (high-level is fine)?