allow(_: Dictionary{sub: sub}, action, resource) if
    allow(new User(sub), action, resource);

allow("guest", action, resource) if
    allow(new User("guest"), action, resource);

allow(_: Dictionary{username: name}, action, resource) if
    allow(new User(name), action, resource);

allow(_actor: User, "get", _resource: Widget);
allow(actor: User, "create", resource: Company) if
    resource.role(actor) = "admin";

allow(actor: User, "frob", resource: Company) if
    resource in actor.companies();

allow(actor: User, "list", Company) if
   actor.name = "auditor";