Dear webservice developers,

we (IST) discussed several strategies to create policies, and I would 
like to summarize them roughly and also discuss them with you:

Ownership:
- We try to keep analogy to file systems. In a (modern) file system, 
every file has an owner. In our service, a policy is created using a 
token. The token belongs to a user, and, in analogy to file systems, 
this user is registered as the owner of all URIs that appear in the policy.
- In line with file systems, the owner has no obligation to grant 
himself access to the respective resources, but retains the right to do 
so at any time. Moreover, he has full control over all his resources, 
including the possibility to deny any access. What is missing yet is the 
possibility to transfer ownership to another user.

Creation and deletion:
- Webservice developers are encouraged to tie resources and policies as 
close as possible together in order to avoid "orphans", i.e. resources 
or policies that have no matching policy or resource, respectively. This 
is a design task, but could in the future also be more soundly tackled 
by a technology that attaches policies more directly to a resource.

Default policies:
- We follow a strategy (in analogy to file systems) to create policies 
giving the owner full access to the resources by default. Conversely, 
all other users are granted read access only by default. Importantly, 
this may be overridden already on creation of a resource. What read and 
full access means in terms of GET, POST, PUT, DELETE, is however not 
clear a priori.

Best regards
Andreas