[request_definition]
r = user, object, action

[policy_definition]
p = user, object, action


[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = (g(r.user, p.user) || p.user == "*" ) && r.object == p.object && r.action == p.action