[request_definition]
r = role, objectsRole, orgType, objectsOrgType, orgRelation, objectsRelation, obj, act

[policy_definition]
p = role, objectsRole, orgType, objectsOrgType, orgRelation, objectsRelation, obj, act

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = keyMatch(r.role, p.role) && keyMatch(r.objectsRole, p.objectsRole) && keyMatch(r.orgType, p.orgType) && keyMatch(r.objectsOrgType, p.objectsOrgType) && keyMatch(r.objectsRelation, p.objectsRelation) && keyMatch(r.orgRelation, p.orgRelation) && keyMatch(r.obj, p.obj) && (r.act == p.act || p.act == "*")