make users.datalake.* inheritable
Consider making the structure of users.datalake.* (viewers, editors, admins and ops) inheritable of each other. I.e. users.datalake.editors is a member of users.datalake.viewers, users.datalake.admins is member of users.datalake.editors and so on. And then only add the relevant extra services to the current group. I.e. editors is made member of services legal.editor, storage.creator, schema-service.editors, file.editors and workflow.creator. All the other relevant services is inherited from users.datalake.viewers-membership.