Security Logic Simplified into a Cheatsheet

Came up with this comment to help me think through end-user security.

    /*
     * Security logic is based roughly on NTFS style allow and deny.
     *
     * The logic is as follows, in order:
     * 1. If a specific role or user is in the deny list, they are denied.
     * 2. If a specific role or user is in the allow list, they are allowed.
     * 3. Otherwise, they are denied.
     *
     * There are three special values.  Anonymous is a user who is not logged in.
     * All refers to all roles and users.
     * None refers to no roles and no users.
     *
     * The default value of the "deny" list is "None".
     * The default value of the "allow" list is "None".
     *
     * Here are some common recipes.
     *
     * If you just want to allow specific roles to have access, define only the "allow" list.
     *   allow: A B C
     *
     * If you want to specify only one role to deny, but allow everyone else:
     *   deny: A 
     *   allow: All
     *
     * If you want to temporarily restrict a role, add it to deny, but don't remove it from allow:
     *   deny: B
     *   allow: A B C
     *
     * This is similar to Apache's Allow,Deny mode.  Unlike Apache, you cannot specify the
     * order of tests.  This is a feature, not a bug.
     */