1 files changed, 17 insertions, 7 deletions

diff --git a/doc/share/authz/README.md b/doc/share/authz/README.md
index 9638c83..b750481 100644
--- a/doc/share/authz/README.md
+++ b/doc/share/authz/README.md
@@ -9,6 +9,23 @@ identity of subjects and/or groups to which they belong.
 * Relationship-Based Access Control ([ReBAC](./ReBAC.md))
 * Attribute-Based Access Control ([ABAC](./ABAC.md))
 
+## Policy
+
+* [What is a policy?](./POLICY.md)
+* Policy Language Evaluation
+  * Zanzibar
+  * [Dafny](https://dafny.org/)
+  * Cedar
+  * Casbin
+
+Criteria for evaluating policy languages:
+
+* Must be able to model different types of access control models (RBAC, ReBAC, ABAC)
+* Must be able to perform static analysis
+* Must be well supported
+* Must have concise documentation
+* Must provide ability to extend language using Ruby/Golang for describing complex policies.
+
 ## Organizational Hierarchy
 
 How does a permission cascade down a group hierarchy?
@@ -39,15 +56,8 @@ Organization
 If a user has a membership at `Group A`, does the permissions associated with that
 membership cascade down to `Group Aa` and `Group Aaa`?
 
-## Permissions
-
-* Q: What permissions do each of the standard roles have today?
-* Q: Are there permissions that do not cascade down the group hierarchy?
-
 ## Scope
 
-* Q: How do we define the scope of a permission? (hierarchical?)
-
 1. Single resource
 1. Nested resources
 1. Individual Attributes on a resource