The return of authoritative hooks

From the article, it seems LSM is seen as a way to restrict a user's rights from an original
set, where I think it should be a way to say who can do what.

Each user could then have a tick-box kind of configuration, which is in fact similar to making
a user part of a group to give them access to a category of devices.

But I suppose the all idea now would be to say like: user A cannot access /dev/sda* (the hard
disk), but can access /dev/sdb* (a USB key that is known to belong to them).

Correct?