"An authorization policy preferably consists of four components, including objects, subjects, privileges, and conditions." . . . .