That's definitly a very useful behaviour, which probably should be made default, and mandatory to implement. But I do not think we should unnecesseraly limit the protocol to accomodate only for this usage. All these issues may be solved at PEP level just as well - it is up to an application to interpret each possible result. For example for credentials foo = 1 and spam = 0 two rules. and policy < permit if (divide foo spam) > 1 permit if foo > 0 > it does not seems absolutely clear to me that the result should be DENY (or PERMIT as well - there are may be choices..)