I attempt to describe a complex application in which several patterns can be identified.

Consider a reservation system for some facility outside the computer—perhaps landing slots at an airport. We have an object, BM, perhaps as simple as a bit map which remembers which slots have been allocated. We have a simple trusted class of objects RA which each have access to BM and have a capability to send signals out of the system announcing reservations they have made.

An instance, Ra, of RA holds a reference to a policy object which it consults before it makes a reservation. Different Ra’s have different policy objects and indeed policy objects of different classes. Policy objects are not shared.

If you want to be allocated a landing slot you present your credentials to the air-port authority who returns to you an Ra equipped with a policy object suitable to your credentials.

The policy object is a keeper of the Ra. You can verify that the Ra that you received is a valid RA and thus any reservation it returns may be relied upon. The air-port authority has chosen the policy object to represent its interests and obligations. You negotiate with the Ra a suitable landing slot if you can. The Ra consults the policy object which may disallow some allocations.

You might argue that if you trust RA you may as well trust the air-port authority. If you got your Ra from a broker then there is a murky question about the authority the broker has to issue Ra’s and with which policy objects.