[request_definition]
r = type, app, sub, obj, act, model

[policy_definition]
p = type, app, sub, obj, act, model

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub, r.app) && (r.type == p.type && r.app == p.app && ParamsMatch(r.obj,p.obj) && r.act == p.act && r.model == p.model) || r.sub == "1"