[request_definition]
r = role, object, action

[policy_definition]
p = role, object, action

[role_definition]
g = _, _

[policy_effect]
e = some(where (p_eft == allow))

[matchers]
m = (g(r.role, p.role) || keyMatch(r.role, p.role)) && r.object == p.object && r.action == p.action