An example would be
Allow delete any file in directory, but not the directory itself
GRANT(delete, "/a/b" = resource-ancestors)
//remembering that "=" is equivalent to "in-bag"
for target matching operations
For the case when you are allow to delete directory as well(/a/b in
this case) that would be:
GRANT(delete, "/a/b" = resource-ancestors-or-self)
In general, when hierarchy has non-heterogeneous resources, ancestors,
distinct from ancestors-or-self would be useful to have.
The reason I suggested defining ancestors-or-self using the type-union
function definition is to avoid duplicating the "self" in cases when
the ancestors are defined to include the "self".
As far as "parent", I think they are not generally needed, as
for system requiring one level deep inheritance that can be handled with an
appropriate definition of what "ancestor" is. So I would also
think that "parent-or-self" is redundant.
Daniel;