In all my experience, every single complex security policy I've seen
has very serious issues.   Complexity kills it. There's always a scenario
somewhere that someone has forgotten about that breaks stuff.

Heck, this even happens with access control systems like PAM. About every
3 months, we hear of a security hole where some distro has managed to ship
an ssh policy that makes it possible for root to login remotely without
entering a password, provided he does not have a DSA key (don't believe my
word, read bugtraq!).

There is no model of complex security authentication systems. There is no
tool that allows people to configure this kind of stuff properly, *and
check the results*. Not just write documents, but actually verify that
*every case* makes sense.   Consider the combinatorial complexity of that.
Consider real information systems, where people either have ten passwords
to remember, or they use some account that's not there, or there is some
temporal incongruity between what should be and what is.

(Tivoli is probably the closest there is to that in the proprietary world).

In the end, you want simple security. If you need ACLs, then you probably
fucked up your design, and decided to add an architectural band-aid to
cater over the holes of the broken design.

That said, ACLs and mandatory access control make for great security theater
(see Bruce Schneier's website if you don't get the reference).
It's the kind of expertise that allows consulting business to make a living
in security IT.

Not much actual security, though.