Access control at the account level

Access control at the account level

Is there a way to lock down individual accounts within a resource? I don't want to have to create multiple copies of a resource based variations in permissions. It would be ideal to be able to logically organize my accounts in a single resource with a default access control and then be able to specify more granular access control at the account level if needed.

I'm hoping I'm just overlooking a less obvious setting. Otherwise this is misleading selling point on the product page, " Assign roles to your users and establish fine-grained access controls."