This policy is intended to provide exclusive access to operational devices for certain privileged Principals (users and groups). If a Principal is assigned permissions at the device level against a concrete device, the Principal (referred to as the primary Principal) automatically claims exclusive access to the device. This means that other Principals are not authorized to access this device, under any circumstances.

To assign a different set of permissions than the primary Principal, the notion of an abstract Principal called Others is introduced. The Others Principal is used to represent the rest of the Principals that are not the primary Principal, and can be used by the administrator to assign permissions (typically less effective privileges) on the device.

After a Principal is assigned explicit permissions on concrete devices, the permission enforcement does not fall back to the network or system.