In all my experience, every single complex security policy I've seen

has very serious issues.   Complexity kills it. There's always a scenario

somewhere that someone has forgotten about that breaks stuff.
Heck, this even happens with access control systems like PAM. About every

3 months, we hear of a security hole where some distro has managed to ship

an ssh policy that makes it possible for root to login remotely without

entering a password, provided he does not have a DSA key (don't believe my

word, read bugtraq!).
There is no model of complex security authentication systems. There is no

tool that allows people to configure this kind of stuff properly, *and

check the results*. Not just write documents, but actually verify that

*every case* makes sense.   Consider the combinatorial complexity of that.

Consider real information systems, where people either have ten passwords

to remember, or they use some account that's not there, or there is some

temporal incongruity between what should be and what is.
(Tivoli is probably the closest there is to that in the proprietary world).
In the end, you want simple security. If you need ACLs, then you probably

fucked up your design, and decided to add an architectural band-aid to

cater over the holes of the broken design.
That said, ACLs and mandatory access control make for great security theater

(see Bruce Schneier's website if you don't get the reference).

It's the kind of expertise that allows consulting business to make a living

in security IT.
Not much actual security, though.