* Basically, if the subject has one of the "special" principals
* (token, local password, etc.) then we accept it for any action
* on the DAS and on instances. Otherwise, it's a person and
* we allow full access on the DAS but read-only on instances.
*/
Decision result =
isSubjectInternalAdministrator(subject.getSubject())
|| isSubjectTrustedForDASAndInstances(subject)
|| // Looks external. Allow full access on DAS, read-only on instance.