Specifying Permissions in a Policy