the idea is my "core" stack creates some policies and then each app defines it's own access policies on top of that