Usual #RBAC, #ABAC policies express rules presuming that an actor who initiated a request is a single principal. Is there an approach that allows requests w/ composite tokens containing at least two principals? Take into account own privileges of an oauth client and a user.