Rich access control lists

Sounds like a firewall. First apply blacklists (those individuals and groups who are to be denied access at all times). Next apply whitelists (those individuals and groups always allowed access). Then apply mixed allow/deny rules that may allow access or may deny access. Finally, if access hasn't already been allowed or denied, deny it. Easy concept. Non-trivial implementation.