[request_definition]
r = uid, permission, act

[policy_definition]
p = uid, permission, act, eft

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = g(r.uid, p.uid) && r.permission == p.permission && r.act == p.act