I attempt to describe a complex application in which several patterns can be identified.
Consider a reservation system for some facility outside the computer—perhaps landing slots at an airport. We have an object, BM, perhaps as simple as a bit map which remembers which slots have been allocated. We have a simple trusted class of objects RA which each have access to BM and have a capability to send signals out of the system announcing reservations they have made.
An instance, Ra, of RA holds a reference to a policy object which it consults before it makes a reservation. Different Ra’s have different policy objects and indeed policy objects of different classes. Policy objects are not shared.
If you want to be allocated a landing slot you present your credentials to the air-port authority who returns to you an Ra equipped with a policy object suitable to your credentials.
The policy object is a keeper of the Ra. You can verify that the Ra that you received is a valid RA and thus any reservation it returns may be relied upon. The air-port authority has chosen the policy object to represent its interests and obligations. You negotiate with the Ra a suitable landing slot if you can. The Ra consults the policy object which may disallow some allocations.