| [request_definition] | |
| r = sub, obj, act | |
| r2 = sub, obj, act | |
| [policy_definition] | |
| p = sub, obj, act | |
| p2 = sub_rule, obj, act, eft | |
| [role_definition] | |
| g = _, _ | |
| [policy_effect] | |
| e = some(where (p.eft == allow)) | |
| [matchers] | |
| #RABC | |
| m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act | |
| #ABAC | |
| m2 = eval(p2.sub_rule) && r2.obj == p2.obj && r2.act == p2.act |