[request_definition]
r = user, thing, action

[policy_definition]
p = role, thing, action
p2 = role, action

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.user, p.role) && r.thing == p.thing && r.action == p.action
m2 = g(r.user, p2.role) && r.action == p.action

[role_definition]
g = _,_
g2 = _,_