A variety of mechanisms have been used in access control systems to support enterprises' diverse security needs. For example, some enterprises might allow individual users to assign privileges on files that they own, whereas others might require that permissions be granted and revoked by security administrators only; some enterprises wish to operate under closed access policies (where permission is denied unless explicitly granted), whereas others prefer to allow access only if the number of positive authorizations exceeds the number of negative ones. We will explore two frameworks, namely creation time policies and conflict resolution policies, that together allow software vendors to support a wide variety of discretionary access control mechanisms using a single code base.