examples/blp_model.conf - casbin - Git at Google

 [request_definition]
 r = sub, sub_level, obj, obj_level, act

 [policy_definition]
 p = sub, obj, act

 [role_definition]
 g = _, _

 [policy_effect]
 e = some(where (p.eft == allow))

 [matchers]
 m = (r.act == "read" && r.sub_level >= r.obj_level) || (r.act == "write" && r.sub_level <= r.obj_level)
	[request_definition]
	r = sub, sub_level, obj, obj_level, act

	[policy_definition]
	p = sub, obj, act

	[role_definition]
	g = _, _

	[policy_effect]
	e = some(where (p.eft == allow))

	[matchers]
	m = (r.act == "read" && r.sub_level >= r.obj_level) \|\| (r.act == "write" && r.sub_level <= r.obj_level)