[request_definition]
r = subject, resource, action

[policy_definition]
p = subject, resource, action

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = (p.subject == "*" || r.subject == p.subject) && r.resource == p.resource && r.action == p.action