diff --git a/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java b/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java
index 65ecd722dc..23a3e6f51e 100644
--- a/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java
@@ -9,34 +9,41 @@
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
 import java.util.Calendar;
-import java.util.Collections;
 import java.util.Comparator;
 import java.util.Enumeration;
 import java.util.HashMap;
-import java.util.Iterator;
+import java.util.HashSet;
+import java.util.LinkedHashMap;
 import java.util.LinkedList;
 import java.util.List;
-import java.util.ListIterator;
 import java.util.Map;
 import java.util.Random;
+import java.util.Set;
 
 import javax.servlet.http.HttpServletRequest;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
 import edu.cornell.mannlib.vedit.beans.EditProcessObject;
 import edu.cornell.mannlib.vedit.beans.Option;
 import edu.cornell.mannlib.vedit.util.FormUtils;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.EntityPolicyController;
+import edu.cornell.mannlib.vitro.webapp.beans.PermissionSet;
 import edu.cornell.mannlib.vitro.webapp.controller.Controllers;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroHttpServlet;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
-import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess;
 import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
+import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 
 public class BaseEditController extends VitroHttpServlet {
 
-	public static final boolean FORCE_NEW = true; // when you know you're starting a new edit process
+    public static final String ENTITY_URI_ATTRIBUTE_NAME = "_permissionsEntityURI";
+    public static final String ENTITY_TYPE_ATTRIBUTE_NAME = "_permissionsEntityType";
+
+    public static final boolean FORCE_NEW = true; // when you know you're starting a new edit process
 
     public static final String JSP_PREFIX = "/templates/edit/specific/";
 
@@ -51,82 +58,87 @@ public class BaseEditController extends VitroHttpServlet {
     private final int MAX_EPOS = 5;
     private final Calendar cal = Calendar.getInstance();
 
-    /* EPO is reused if the controller is passed an epoKey, e.g.
-      if a previous form submission failed validation, or the edit is a multistage process. */
+    /*
+     * EPO is reused if the controller is passed an epoKey, e.g. if a previous form submission failed validation, or the
+     * edit is a multistage process.
+     */
 
     protected EditProcessObject createEpo(HttpServletRequest request) {
-    	return createEpo(request, false);
+        return createEpo(request, false);
     }
 
     protected EditProcessObject createEpo(HttpServletRequest request, boolean forceNew) {
-        /* this is actually a bit of a misnomer, because we will reuse an epo
-        if an epoKey parameter is passed */
+        /*
+         * this is actually a bit of a misnomer, because we will reuse an epo if an epoKey parameter is passed
+         */
         EditProcessObject epo = null;
         HashMap epoHash = getEpoHash(request);
         String existingEpoKey = request.getParameter("_epoKey");
-        if (!forceNew && existingEpoKey != null && epoHash.get(existingEpoKey) != null)  {
+        if (!forceNew && existingEpoKey != null && epoHash.get(existingEpoKey) != null) {
             epo = (EditProcessObject) epoHash.get(existingEpoKey);
             epo.setKey(existingEpoKey);
             epo.setUseRecycledBean(true);
         } else {
             LinkedList epoKeylist = getEpoKeylist(request);
             if (epoHash.size() == MAX_EPOS) {
-            	try {
-            		epoHash.remove(epoKeylist.getFirst());
-            		epoKeylist.removeFirst();
-            	} catch (Exception e) {
-            		// see JIRA issue VITRO-340, "Odd exception from backend editing"
-            		// possible rare concurrency issue here
-            		log.error("Error removing old EPO", e);
-            	}
+                try {
+                    epoHash.remove(epoKeylist.getFirst());
+                    epoKeylist.removeFirst();
+                } catch (Exception e) {
+                    // see JIRA issue VITRO-340, "Odd exception from backend editing"
+                    // possible rare concurrency issue here
+                    log.error("Error removing old EPO", e);
+                }
             }
             Random rand = new Random();
             String epoKey = createEpoKey();
             while (epoHash.get(epoKey) != null) {
-                epoKey+=Integer.toHexString(rand.nextInt());
+                epoKey += Integer.toHexString(rand.nextInt());
             }
             epo = new EditProcessObject();
-            epoHash.put (epoKey,epo);
+            epoHash.put(epoKey, epo);
             epoKeylist.add(epoKey);
             epo.setKey(epoKey);
-            epo.setReferer( (forceNew) ? request.getRequestURL().append('?').append(request.getQueryString()).toString() : request.getHeader("Referer") );
+            epo.setReferer((forceNew) ? request.getRequestURL().append('?').append(request.getQueryString()).toString()
+                    : request.getHeader("Referer"));
             epo.setSession(request.getSession());
         }
         return epo;
     }
 
-    private LinkedList getEpoKeylist(HttpServletRequest request){
+    private LinkedList getEpoKeylist(HttpServletRequest request) {
         return (LinkedList) request.getSession().getAttribute(EPO_KEYLIST_ATTR);
     }
 
-    private HashMap getEpoHash(HttpServletRequest request){
+    private HashMap getEpoHash(HttpServletRequest request) {
         HashMap epoHash = (HashMap) request.getSession().getAttribute(EPO_HASH_ATTR);
         if (epoHash == null) {
             epoHash = new HashMap();
-            request.getSession().setAttribute(EPO_HASH_ATTR,epoHash);
-            //since we're making a new EPO hash, we should also make a new keylist.
+            request.getSession().setAttribute(EPO_HASH_ATTR, epoHash);
+            // since we're making a new EPO hash, we should also make a new keylist.
             LinkedList epoKeylist = new LinkedList();
-            request.getSession().setAttribute(EPO_KEYLIST_ATTR,epoKeylist);
+            request.getSession().setAttribute(EPO_KEYLIST_ATTR, epoKeylist);
         }
         return epoHash;
     }
 
-    private String createEpoKey(){
+    private String createEpoKey() {
         return Long.toHexString(cal.getTimeInMillis());
     }
 
-    protected void setRequestAttributes(HttpServletRequest request, EditProcessObject epo){
-    	VitroRequest vreq = new VitroRequest(request);
-        request.setAttribute("epoKey",epo.getKey());
-        request.setAttribute("epo",epo);
-        request.setAttribute("globalErrorMsg",epo.getAttribute("globalErrorMsg"));
-        request.setAttribute("css", "<link rel=\"stylesheet\" type=\"text/css\" href=\""+vreq.getAppBean().getThemeDir()+"css/edit.css\"/>");
+    protected void setRequestAttributes(HttpServletRequest request, EditProcessObject epo) {
+        VitroRequest vreq = new VitroRequest(request);
+        request.setAttribute("epoKey", epo.getKey());
+        request.setAttribute("epo", epo);
+        request.setAttribute("globalErrorMsg", epo.getAttribute("globalErrorMsg"));
+        request.setAttribute("css", "<link rel=\"stylesheet\" type=\"text/css\" href=\""
+                + vreq.getAppBean().getThemeDir() + "css/edit.css\"/>");
     }
 
     protected void populateBeanFromParams(Object bean, HttpServletRequest request) {
         Map params = request.getParameterMap();
         Enumeration paramNames = request.getParameterNames();
-        while (paramNames.hasMoreElements()){
+        while (paramNames.hasMoreElements()) {
             String key = "";
             try {
                 key = (String) paramNames.nextElement();
@@ -157,9 +169,9 @@ protected void populateBeanFromParams(Object bean, HttpServletRequest request) {
         }
     }
 
-    public List<Option> getSortedList(HashMap<String,Option> hashMap, List<Option> optionList, VitroRequest vreq){
+    public List<Option> getSortedList(HashMap<String, Option> hashMap, List<Option> optionList, VitroRequest vreq) {
 
-        class ListComparator implements Comparator<String>{
+        class ListComparator implements Comparator<String> {
 
             Collator collator;
 
@@ -174,23 +186,22 @@ public int compare(String str1, String str2) {
 
         }
 
-       List<String> bodyVal = new ArrayList<String>();
-       List<Option> options = new ArrayList<Option>();
+        List<String> bodyVal = new ArrayList<String>();
+        List<Option> options = new ArrayList<Option>();
         for (Option option : optionList) {
             hashMap.put(option.getBody(), option);
             bodyVal.add(option.getBody());
         }
 
-
-       bodyVal.sort(new ListComparator(vreq.getCollator()));
+        bodyVal.sort(new ListComparator(vreq.getCollator()));
         for (String aBodyVal : bodyVal) {
             options.add(hashMap.get(aBodyVal));
         }
-       return options;
-   }
+        return options;
+    }
 
     protected WebappDaoFactory getWebappDaoFactory() {
-    	return ModelAccess.on(getServletContext()).getWebappDaoFactory(ASSERTIONS_ONLY);
+        return ModelAccess.getInstance().getWebappDaoFactory(ASSERTIONS_ONLY);
     }
 
     protected WebappDaoFactory getWebappDaoFactory(String userURI) {
@@ -198,7 +209,135 @@ protected WebappDaoFactory getWebappDaoFactory(String userURI) {
     }
 
     public String getDefaultLandingPage(HttpServletRequest request) {
-    	return(request.getContextPath() + DEFAULT_LANDING_PAGE);
+        return (request.getContextPath() + DEFAULT_LANDING_PAGE);
+    }
+
+    protected static void addAccessAttributes(HttpServletRequest req, String entityURI, AccessObjectType aot) {
+        // Add the permissionsEntityURI (if we are creating a new property, this will be empty)
+        req.setAttribute(ENTITY_URI_ATTRIBUTE_NAME, entityURI);
+
+        // Get the available permission sets
+        List<PermissionSet> permissionSets = buildListOfSelectableRoles(ModelAccess.on(req).getWebappDaoFactory());
+        List<RoleInfo> roles = new ArrayList<>();
+        List<String> roleUris = new ArrayList<>();
+
+        for (PermissionSet permissionSet : permissionSets) {
+            roles.add(new RoleInfo(permissionSet));
+            roleUris.add(permissionSet.getUri());
+        }
+        List<AccessOperation> accessOperations = AccessOperation.getOperations(aot);
+        // Operation, list of roles>
+        Map<String, List<RoleInfo>> operationsToRoles = new LinkedHashMap<>();
+        for (AccessOperation operation : accessOperations) {
+            List<RoleInfo> roleInfos = new LinkedList<>();
+            String operationName = StringUtils.capitalize(operation.toString().toLowerCase());
+            operationsToRoles.put(operationName, roleInfos);
+            for (RoleInfo role : roles) {
+                RoleInfo roleCopy = role.clone();
+                roleInfos.add(roleCopy);
+                if (isPublicForbiddenOperation(operation)) {
+                    if (roleCopy.isPublic) {
+                        roleCopy.setEnabled(false);
+                        roleCopy.setGranted(false);
+                    }
+                }
+            }
+            if (!StringUtils.isEmpty(entityURI)) {
+                for (RoleInfo roleInfo : roleInfos) {
+                    if (roleInfo.isEnabled()) {
+                        roleInfo.setGranted(
+                                EntityPolicyController.isGranted(entityURI, aot, operation, roleInfo.getUri()));
+                    }
+                }
+            }
+        }
+        req.setAttribute("operationsToRoles", operationsToRoles);
+    }
+
+    static boolean isPublicForbiddenOperation(AccessOperation operation) {
+        return operation.equals(AccessOperation.PUBLISH);
+    }
+
+    public static class RoleInfo {
+        String uri;
+        String label;
+        private boolean enabled = true;
+        private boolean granted = true;
+        private boolean isPublic;
+
+        public RoleInfo(PermissionSet ps) {
+            uri = ps.getUri();
+            label = ps.getLabel();
+            isPublic = ps.isForPublic();
+        }
+
+        public RoleInfo(String uri, String label, boolean isPublic) {
+            this.uri = uri;
+            this.label = label;
+            this.isPublic = isPublic;
+        }
+
+        public String getUri() {
+            return uri;
+        }
+
+        public String getLabel() {
+            return label;
+        }
+
+        public boolean isEnabled() {
+            return enabled;
+        }
+
+        public void setEnabled(boolean enabled) {
+            this.enabled = enabled;
+        }
+
+        public boolean isGranted() {
+            return granted;
+        }
+
+        public void setGranted(boolean granted) {
+            this.granted = granted;
+        }
+
+        public RoleInfo clone() {
+            return new RoleInfo(uri, label, isPublic);
+        }
+
+        public boolean isPublic() {
+            return isPublic;
+        }
     }
 
+    /**
+     * Create a list of all known PermissionSets.
+     */
+    protected static List<PermissionSet> buildListOfSelectableRoles(WebappDaoFactory wadf) {
+        List<PermissionSet> permissionSets = new ArrayList<>();
+
+        // Get the non-public PermissionSets.
+        for (PermissionSet ps : wadf.getUserAccountsDao().getAllPermissionSets()) {
+            if (!ps.isForPublic()) {
+                permissionSets.add(ps);
+            }
+        }
+
+        // Sort the non-public PermissionSets
+        permissionSets.sort(new Comparator<PermissionSet>() {
+            @Override
+            public int compare(PermissionSet ps1, PermissionSet ps2) {
+                return ps1.getUri().compareTo(ps2.getUri());
+            }
+        });
+
+        // Add the public PermissionSets.
+        for (PermissionSet ps : wadf.getUserAccountsDao().getAllPermissionSets()) {
+            if (ps.isForPublic()) {
+                permissionSets.add(ps);
+            }
+        }
+
+        return permissionSets;
+    }
 }
diff --git a/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java b/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java
index f925dfe362..6953d7e343 100644
--- a/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java
@@ -5,20 +5,33 @@
 import java.io.IOException;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
+import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Enumeration;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.OperationGroup;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.EntityPolicyController;
+import edu.cornell.mannlib.vitro.webapp.beans.PermissionSet;
+import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess;
+import org.apache.commons.lang3.EnumUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 import edu.cornell.mannlib.vedit.beans.EditProcessObject;
+import edu.cornell.mannlib.vedit.controller.BaseEditController.RoleInfo;
 import edu.cornell.mannlib.vedit.forwarder.PageForwarder;
 import edu.cornell.mannlib.vedit.listener.ChangeListener;
 import edu.cornell.mannlib.vedit.listener.EditPreProcessor;
@@ -123,6 +136,43 @@ public void doPost (HttpServletRequest request, HttpServletResponse response) {
             	return;
             }
 
+            // If contains restrictions
+            if (request.getParameter("_permissions") != null) {
+                // Get the namespace that we are editing
+                String entityUri = request.getParameter(ENTITY_URI_ATTRIBUTE_NAME);
+                if (StringUtils.isEmpty(entityUri)) {
+                    // If we don't have a namespace set, we are creating a new entity so use that namespace
+                    if (!StringUtils.isEmpty(request.getParameter("Namespace")) && !StringUtils.isEmpty(request.getParameter("LocalName"))) {
+                        entityUri = "" + request.getParameter("Namespace") + request.getParameter("LocalName");    
+                    }
+                }
+                String entityType = request.getParameter(ENTITY_TYPE_ATTRIBUTE_NAME);
+                List<PermissionSet> permissionSets = buildListOfSelectableRoles(ModelAccess.on(request).getWebappDaoFactory());
+                Set<RoleInfo> roles = new HashSet<>();
+                for (PermissionSet permissionSet : permissionSets) {
+                    roles.add(new RoleInfo(permissionSet));
+                }  
+                AccessObjectType aot = getAccessObjectType(entityUri, entityType);
+                if (aot != null) {
+                    List<AccessOperation> operations = AccessOperation.getOperations(aot);
+                    for (AccessOperation ao : operations) {
+                        String operationGroupName = ao.toString().toLowerCase().split("_")[0];
+                        Set<String> selectedRoles = getSelectedRoles(request, operationGroupName);
+                        for (RoleInfo role : roles) {
+                            if (role.isPublic() && isPublicForbiddenOperation(ao)) {
+                                continue;
+                            }
+                            if (selectedRoles.contains(role.getUri())) {
+                                EntityPolicyController.grantAccess(entityUri, aot, ao, role.getUri());    
+                            } else {
+                                EntityPolicyController.revokeAccess(entityUri, aot, ao, role.getUri());
+                            }
+                            
+                        }
+                    }
+                }
+            }
+
             /* put request parameters and attributes into epo where the listeners can see */
             epo.setRequestParameterMap(request.getParameterMap());
 
@@ -180,6 +230,27 @@ public void doPost (HttpServletRequest request, HttpServletResponse response) {
         }
     }
 
+    private Set<String> getSelectedRoles(HttpServletRequest request, String operationGroupName) {
+        String[] selectedRoles = request.getParameterValues(operationGroupName + "Roles");
+        if (selectedRoles == null) {
+            selectedRoles = new String[0];
+        }
+        return new HashSet<String>(Arrays.asList(selectedRoles));
+    }
+
+    private AccessObjectType getAccessObjectType(String entityUri, String entityType) {
+        AccessObjectType aot = null;
+        // Get the granted permissions from the request object
+        if(StringUtils.isBlank(entityUri)) {
+            log.error("EntityUri is blank");
+        } else if (StringUtils.isBlank(entityType) || !EnumUtils.isValidEnum(AccessObjectType.class, entityType)) {
+            log.error("EntityType is not valid " + entityType);
+        } else {
+            aot = AccessObjectType.valueOf(entityType);
+        }
+        return aot;
+    }
+
     private void retry(HttpServletRequest request,
     		           HttpServletResponse response,
     		           EditProcessObject epo) throws IOException {
@@ -508,5 +579,4 @@ private boolean performEdit(EditProcessObject epo, Object newObj, String action)
         return SUCCESS;
 
     }
-
 }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/RootUserSetup.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/RootUserSetup.java
new file mode 100644
index 0000000000..b6dbb966f1
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/RootUserSetup.java
@@ -0,0 +1,182 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth;
+
+import java.util.TreeSet;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletContextEvent;
+import javax.servlet.ServletContextListener;
+
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount.Status;
+import edu.cornell.mannlib.vitro.webapp.config.ConfigurationProperties;
+import edu.cornell.mannlib.vitro.webapp.controller.authenticate.Authenticator;
+import edu.cornell.mannlib.vitro.webapp.dao.UserAccountsDao;
+import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess;
+import edu.cornell.mannlib.vitro.webapp.startup.StartupStatus;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ *
+ * On setup, check to see that the specified root user exists. If not, create it. If we can't create it, abort.
+ *
+ * If any other root users exist, warn about them.
+ */
+public class RootUserSetup implements ServletContextListener {
+    private static final Log log = LogFactory.getLog(RootUserSetup.class);
+
+    private static final String PROPERTY_ROOT_USER_EMAIL = "rootUser.emailAddress";
+    /*
+     * UQAM Add-Feature For parameterization of rootUser
+     */
+    private static final String PROPERTY_ROOT_USER_PASSWORD = "rootUser.password";
+    private static final String PROPERTY_ROOT_USER_PASSWORD_CHANGE_REQUIRED = "rootUser.passwordChangeRequired";
+
+    private static final String ROOT_USER_INITIAL_PASSWORD = "rootPassword";
+    private static final String ROOT_USER_INITIAL_PASSWORD_CHANGE_REQUIRED = "true";
+
+    // ----------------------------------------------------------------------
+    // Setup class
+    // ----------------------------------------------------------------------
+
+    private ServletContext ctx;
+    private StartupStatus ss;
+    private UserAccountsDao uaDao;
+    private ConfigurationProperties cp;
+    private String configuredRootUser;
+    private boolean configuredRootUserExists;
+    private TreeSet<String> otherRootUsers;
+
+    @Override
+    public void contextInitialized(ServletContextEvent sce) {
+        ctx = sce.getServletContext();
+        ss = StartupStatus.getBean(ctx);
+        cp = ConfigurationProperties.getBean(ctx);
+
+        try {
+            uaDao = ModelAccess.on(ctx).getWebappDaoFactory().getUserAccountsDao();
+            configuredRootUser = getRootEmailFromConfig();
+
+            otherRootUsers = getEmailsOfAllRootUsers();
+            configuredRootUserExists = otherRootUsers.remove(configuredRootUser);
+
+            if (configuredRootUserExists) {
+                if (otherRootUsers.isEmpty()) {
+                    informThatRootUserExists();
+                } else {
+                    complainAboutMultipleRootUsers();
+                }
+            } else {
+                createRootUser();
+                if (!otherRootUsers.isEmpty()) {
+                    complainAboutWrongRootUsers();
+                }
+            }
+        } catch (Exception e) {
+            ss.fatal(this, "Failed to set up the RootUserPolicy", e);
+        }
+    }
+
+    private String getRootEmailFromConfig() {
+        String email = ConfigurationProperties.getBean(ctx).getProperty(PROPERTY_ROOT_USER_EMAIL);
+        if (email == null) {
+            throw new IllegalStateException(
+                    "runtime.properties must contain a value for '" + PROPERTY_ROOT_USER_EMAIL + "'");
+        } else {
+            return email;
+        }
+    }
+
+    private TreeSet<String> getEmailsOfAllRootUsers() {
+        TreeSet<String> rootUsers = new TreeSet<String>();
+        for (UserAccount ua : uaDao.getAllUserAccounts()) {
+            if (ua.isRootUser()) {
+                rootUsers.add(ua.getEmailAddress());
+            }
+        }
+        return rootUsers;
+    }
+
+    /**
+     * TODO The first and last name should be left blank, so the user will be forced to edit them. However, that's not
+     * in place yet.
+     */
+    private void createRootUser() {
+        if (!Authenticator.isValidEmailAddress(configuredRootUser)) {
+            throw new IllegalStateException("Value for '" + PROPERTY_ROOT_USER_EMAIL
+                    + "' is not a valid email address: '" + configuredRootUser + "'");
+        }
+
+        if (null != uaDao.getUserAccountByEmail(configuredRootUser)) {
+            throw new IllegalStateException("Can't create root user - "
+                    + "an account already exists with email address '" + configuredRootUser + "'");
+        }
+
+        UserAccount ua = new UserAccount();
+        ua.setEmailAddress(configuredRootUser);
+        ua.setFirstName("root");
+        ua.setLastName("user");
+        // UQAM Add-Feature using getRootPasswordFromConfig()
+        ua.setArgon2Password(Authenticator.applyArgon2iEncoding(getRootPasswordFromConfig()));
+        ua.setMd5Password("");
+        // UQAM Add-Feature using getRootPasswdChangeRequiredFromConfig()
+        ua.setPasswordChangeRequired(getRootPasswdChangeRequiredFromConfig().booleanValue());
+        ua.setStatus(Status.ACTIVE);
+        ua.setRootUser(true);
+
+        uaDao.insertUserAccount(ua);
+
+        StartupStatus.getBean(ctx).info(this, "Created root user '" + configuredRootUser + "'");
+    }
+
+    private void informThatRootUserExists() {
+        ss.info(this, "Root user is " + configuredRootUser);
+    }
+
+    private void complainAboutMultipleRootUsers() {
+        for (String other : otherRootUsers) {
+            ss.warning(this, "runtime.properties specifies '" + configuredRootUser + "' as the value for '"
+                    + PROPERTY_ROOT_USER_EMAIL + "', but the system also contains this root user: " + other);
+        }
+        ss.warning(this, "For security, " + "it is best to delete unneeded root user accounts.");
+    }
+
+    private void complainAboutWrongRootUsers() {
+        for (String other : otherRootUsers) {
+            ss.warning(this, "runtime.properties specifies '" + configuredRootUser + "' as the value for '"
+                    + PROPERTY_ROOT_USER_EMAIL + "', but the system contains this root user instead: " + other);
+        }
+        ss.warning(this, "Creating root user '" + configuredRootUser + "'");
+        ss.warning(this, "For security, " + "it is best to delete unneeded root user accounts.");
+    }
+
+    /*
+     * UQAM Add-Feature Add for getting rootUser.password property value from runtime.properties
+     */
+    private String getRootPasswordFromConfig() {
+        String passwd = ConfigurationProperties.getBean(ctx).getProperty(PROPERTY_ROOT_USER_PASSWORD);
+        if (passwd == null) {
+            passwd = ROOT_USER_INITIAL_PASSWORD;
+        }
+        return passwd;
+    }
+
+    /*
+     * UQAM Add-Feature Add for getting rootUser.passwordChangeRequired property value from runtime.properties
+     */
+    private Boolean getRootPasswdChangeRequiredFromConfig() {
+        String passwdCR = ConfigurationProperties.getBean(ctx).getProperty(PROPERTY_ROOT_USER_PASSWORD_CHANGE_REQUIRED);
+        if (passwdCR == null) {
+            passwdCR = ROOT_USER_INITIAL_PASSWORD_CHANGE_REQUIRED;
+        }
+        return new Boolean(passwdCR);
+    }
+
+    @Override
+    public void contextDestroyed(ServletContextEvent sce) {
+        // Nothing to destroy
+    }
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AccessObjectType.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AccessObjectType.java
new file mode 100644
index 0000000000..48ca429fb7
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AccessObjectType.java
@@ -0,0 +1,18 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.attributes;
+
+public enum AccessObjectType {
+    CLASS,
+    NAMED_OBJECT,
+    DATA_PROPERTY,
+    OBJECT_PROPERTY,
+    DATA_PROPERTY_STATEMENT,
+    OBJECT_PROPERTY_STATEMENT,
+    ENTITY_URI,
+    ROOT_USER,
+    FAUX_OBJECT_PROPERTY,
+    FAUX_DATA_PROPERTY,
+    FAUX_DATA_PROPERTY_STATEMENT,
+    FAUX_OBJECT_PROPERTY_STATEMENT,
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AccessOperation.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AccessOperation.java
new file mode 100644
index 0000000000..8a2b426e5a
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AccessOperation.java
@@ -0,0 +1,27 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.attributes;
+
+import java.util.Arrays;
+import java.util.List;
+
+public enum AccessOperation {
+    EXECUTE,
+    PUBLISH,
+    UPDATE,
+    DISPLAY,
+    ADD,
+    DROP,
+    EDIT;
+
+    public static List<AccessOperation> getOperations(AccessObjectType aot) {
+        if (aot.equals(AccessObjectType.DATA_PROPERTY)
+                || aot.equals(AccessObjectType.OBJECT_PROPERTY)
+                || aot.equals(AccessObjectType.FAUX_DATA_PROPERTY)
+                || aot.equals(AccessObjectType.FAUX_OBJECT_PROPERTY)) {
+            return Arrays.asList(AccessOperation.DISPLAY, AccessOperation.PUBLISH, AccessOperation.ADD,
+                    AccessOperation.DROP, AccessOperation.EDIT);
+        }
+        return Arrays.asList(AccessOperation.DISPLAY, AccessOperation.PUBLISH, AccessOperation.UPDATE);
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/Attribute.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/Attribute.java
new file mode 100644
index 0000000000..2c2f6634da
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/Attribute.java
@@ -0,0 +1,14 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.attributes;
+
+public enum Attribute {
+    OPERATION,
+    SUBJECT_ROLE_URI,
+    SUBJECT_TYPE,
+    ACCESS_OBJECT_URI,
+    ACCESS_OBJECT_TYPE,
+    STATEMENT_OBJECT_URI,
+    STATEMENT_PREDICATE_URI,
+    STATEMENT_SUBJECT_URI,
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueKey.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueKey.java
new file mode 100644
index 0000000000..02dd77b623
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueKey.java
@@ -0,0 +1,86 @@
+package edu.cornell.mannlib.vitro.webapp.auth.attributes;
+
+import org.apache.commons.lang3.builder.EqualsBuilder;
+import org.apache.commons.lang3.builder.HashCodeBuilder;
+
+public class AttributeValueKey {
+
+    private AccessOperation ao;
+    private AccessObjectType aot;
+    private String role;
+    private String type;
+
+    public AttributeValueKey() {
+    }
+
+    public AttributeValueKey(AccessOperation ao, AccessObjectType aot, String role, String type) {
+        this.ao = ao;
+        this.aot = aot;
+        this.role = role;
+        this.type = type;
+    }
+
+    public AccessOperation getAccessOperation() {
+        return ao;
+    }
+
+    public void setOperation(AccessOperation ao) {
+        this.ao = ao;
+    }
+
+    public AccessObjectType getObjectType() {
+        return aot;
+    }
+
+    public void setObjectType(AccessObjectType aot) {
+        this.aot = aot;
+    }
+
+    public String getRole() {
+        return role;
+    }
+
+    public void setRole(String role) {
+        this.role = role;
+    }
+
+    public String getType() {
+        return type;
+    }
+
+    public void setType(String type) {
+        this.type = type;
+    }
+
+    public AttributeValueKey clone() {
+        return new AttributeValueKey(ao, aot, role, type);
+    }
+
+    @Override
+    public boolean equals(Object object) {
+        if (!(object instanceof AttributeValueKey)) {
+            return false;
+        }
+        if (object == this) {
+            return true;
+        }
+        AttributeValueKey compared = (AttributeValueKey) object;
+
+        return new EqualsBuilder()
+                .append(getAccessOperation(), compared.getAccessOperation())
+                .append(getObjectType(), compared.getObjectType())
+                .append(getRole(), compared.getRole())
+                .append(getType(), compared.getType())
+                .isEquals();
+    }
+
+    @Override
+    public int hashCode() {
+        return new HashCodeBuilder(151, 1017)
+                .append(getAccessOperation())
+                .append(getObjectType())
+                .append(getRole())
+                .append(getType())
+                .toHashCode();
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueSet.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueSet.java
new file mode 100644
index 0000000000..d8902b2509
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueSet.java
@@ -0,0 +1,29 @@
+package edu.cornell.mannlib.vitro.webapp.auth.attributes;
+
+public interface AttributeValueSet {
+
+    void add(String value);
+
+    void remove(String value);
+
+    void clear();
+
+    boolean contains(String value);
+
+    boolean containsSingleValue();
+
+    String getSingleValue();
+
+    boolean isEmpty();
+
+    void setValueSetUri(String valueSetUri);
+
+    String getValueSetUri();
+
+    void setType(String type);
+
+    void setDataSetUri(String dataSetUri);
+
+    void setKey(AttributeValueKey key);
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueSetRegistry.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueSetRegistry.java
new file mode 100644
index 0000000000..2ba0f0c00a
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueSetRegistry.java
@@ -0,0 +1,30 @@
+package edu.cornell.mannlib.vitro.webapp.auth.attributes;
+
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class AttributeValueSetRegistry {
+
+    private static AttributeValueSetRegistry INSTANCE = new AttributeValueSetRegistry();
+    private Map<AttributeValueKey, AttributeValueSet> valuesMap = new ConcurrentHashMap<>();
+
+    private AttributeValueSetRegistry() {
+        INSTANCE = this;
+    }
+
+    public static AttributeValueSetRegistry getInstance() {
+        return INSTANCE;
+    }
+
+    public AttributeValueSet get(AttributeValueKey key) {
+        return valuesMap.get(key);
+    }
+
+    public void put(AttributeValueKey key, AttributeValueSet values) {
+        valuesMap.put(key, values);
+    }
+
+    public void clear() {
+        valuesMap.clear();
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/MutableAttributeValueSet.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/MutableAttributeValueSet.java
new file mode 100644
index 0000000000..e00b670632
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/MutableAttributeValueSet.java
@@ -0,0 +1,92 @@
+package edu.cornell.mannlib.vitro.webapp.auth.attributes;
+
+import java.util.Iterator;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class MutableAttributeValueSet implements AttributeValueSet {
+
+    private Set<String> values = ConcurrentHashMap.newKeySet();
+    private String valueSetUri;
+    private String type;
+    private AttributeValueKey key;
+    private String dataSetUri;
+
+    public void setValueSetUri(String valueSetUri) {
+        this.valueSetUri = valueSetUri;
+    }
+
+    public MutableAttributeValueSet(String value) {
+        values.add(value);
+    }
+
+    @Override
+    public String getValueSetUri() {
+        return valueSetUri;
+    }
+
+    @Override
+    public void add(String value) {
+        if (value == null) {
+            return;
+        }
+        values.add(value);
+    }
+
+    @Override
+    public boolean contains(String value) {
+        if (value == null) {
+            return false;
+        }
+        return values.contains(value);
+    }
+
+    @Override
+    public boolean containsSingleValue() {
+        return values.size() == 1;
+    }
+
+    @Override
+    public String getSingleValue() {
+        Iterator<String> iterator = values.iterator();
+        if (iterator.hasNext()) {
+            return iterator.next();
+        }
+        return "";
+    }
+
+    @Override
+    public boolean isEmpty() {
+        return values.isEmpty();
+    }
+
+    @Override
+    public void remove(String value) {
+        values.remove(value);
+    }
+
+    @Override
+    public void setType(String type) {
+        this.type = type;
+    }
+
+    public String getType() {
+        return type;
+    }
+
+    @Override
+    public void clear() {
+        values.clear();
+    }
+
+    @Override
+    public void setKey(AttributeValueKey valueSetKey) {
+        this.key = valueSetKey;
+    }
+
+    @Override
+    public void setDataSetUri(String dataSetUri) {
+        this.dataSetUri = dataSetUri;
+    }
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/OperationGroup.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/OperationGroup.java
new file mode 100644
index 0000000000..c43f1f9b10
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/OperationGroup.java
@@ -0,0 +1,23 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.attributes;
+
+import java.util.EnumSet;
+import java.util.Set;
+
+public enum OperationGroup {
+    DISPLAY_GROUP,
+    UPDATE_GROUP,
+    PUBLISH_GROUP;
+
+    public static Set<AccessOperation> getOperations(OperationGroup og) {
+        if (og.equals(UPDATE_GROUP)) {
+            return EnumSet.of(AccessOperation.ADD, AccessOperation.DROP, AccessOperation.EDIT);
+        }
+        if (og.equals(PUBLISH_GROUP)) {
+            return EnumSet.of(AccessOperation.PUBLISH);
+        }
+        return EnumSet.of(AccessOperation.DISPLAY);
+
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/ValueSetFactory.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/ValueSetFactory.java
new file mode 100644
index 0000000000..a7a12136c0
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/ValueSetFactory.java
@@ -0,0 +1,84 @@
+package edu.cornell.mannlib.vitro.webapp.auth.attributes;
+
+import java.util.Optional;
+
+import org.apache.jena.query.QuerySolution;
+
+public class ValueSetFactory {
+
+    public static AttributeValueSet create(String value, QuerySolution qs, AttributeValueKey dataSetKey) {
+        Optional<String> type = getSetElementsType(qs);
+        if (!type.isPresent() || dataSetKey == null) {
+            return new MutableAttributeValueSet(value);
+        } else {
+            AttributeValueKey avcKey = getAttributeValueSetKey(dataSetKey, type.get());
+            AttributeValueSet avc = AttributeValueSetRegistry.getInstance().get(avcKey);
+            if (avc == null) {
+                return createNew(value, qs, dataSetKey, avcKey);
+            } else {
+                return returnFromRegistry(value, avc);
+            }
+        }
+    }
+
+    private static AttributeValueSet returnFromRegistry(String value, AttributeValueSet avc) {
+        avc.clear();
+        avc.add(value);
+        return avc;
+    }
+
+    private static AttributeValueSet createNew(String value, QuerySolution qs, AttributeValueKey dataSetKey,
+            AttributeValueKey avcKey) {
+        AttributeValueSet avc;
+        avc = new MutableAttributeValueSet(value);
+        Optional<String> setUri = getSetUri(qs);
+        if (setUri.isPresent()) {
+            avc.setValueSetUri(setUri.get());
+        }
+        Optional<String> type = getSetElementsType(qs);
+        if (type.isPresent()) {
+            avc.setType(type.get());
+        }
+        Optional<String> dataSetUri = getDataSetUri(qs);
+        if (dataSetUri.isPresent()) {
+            avc.setDataSetUri(dataSetUri.get());
+        }
+        avc.setKey(dataSetKey);
+        register(avc, avcKey);
+        return avc;
+    }
+
+    private static AttributeValueKey getAttributeValueSetKey(AttributeValueKey dataSetKey, String type) {
+        AttributeValueKey avcKey = dataSetKey.clone();
+        avcKey.setType(type);
+        return avcKey;
+    }
+
+    private static void register(AttributeValueSet avc, AttributeValueKey key) {
+        AttributeValueSetRegistry.getInstance().put(key, avc);
+    }
+
+    private static Optional<String> getSetUri(QuerySolution qs) {
+        if (qs.contains("attributeValue") && qs.get("attributeValue").isResource()) {
+            String uri = qs.getResource("attributeValue").getURI();
+            return Optional.of(uri);
+        }
+        return Optional.empty();
+    }
+
+    private static Optional<String> getSetElementsType(QuerySolution qs) {
+        if (qs.contains("setElementsType") && qs.get("setElementsType").isLiteral()) {
+            String setElementsType = qs.getLiteral("setElementsType").getString();
+            return Optional.of(setElementsType);
+        }
+        return Optional.empty();
+    }
+
+    private static Optional<String> getDataSetUri(QuerySolution qs) {
+        if (qs.contains("dataSetUri") && qs.get("dataSetUri").isResource()) {
+            String dataSetUri = qs.getResource("dataSetUri").getURI();
+            return Optional.of(dataSetUri);
+        }
+        return Optional.empty();
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AbstractCheck.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AbstractCheck.java
new file mode 100644
index 0000000000..200da329c1
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AbstractCheck.java
@@ -0,0 +1,95 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.checks;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSet;
+import org.apache.commons.lang3.builder.EqualsBuilder;
+import org.apache.commons.lang3.builder.HashCodeBuilder;
+
+public abstract class AbstractCheck implements Check {
+
+    private AttributeValueSet values;
+    private String uri;
+    private long computationalCost;
+
+    private CheckType testType = CheckType.EQUALS;
+
+    public AbstractCheck(String uri, AttributeValueSet values) {
+        this.uri = uri;
+        this.values = values;
+    }
+
+    public String getUri() {
+        return uri;
+    }
+
+    public void setUri(String uri) {
+        this.uri = uri;
+    }
+
+    public CheckType getType() {
+        return testType;
+    }
+
+    public void setType(CheckType testType) {
+        this.testType = testType;
+        adjustComputationCost(testType);
+    }
+
+    @Override
+    public void addValue(String value) {
+        values.add(value);
+    }
+
+    @Override
+    public AttributeValueSet getValues() {
+        return values;
+    }
+
+    @Override
+    public boolean equals(Object object) {
+        if (!(object instanceof AbstractCheck)) {
+            return false;
+        }
+        if (object == this) {
+            return true;
+        }
+        AbstractCheck compared = (AbstractCheck) object;
+
+        return new EqualsBuilder()
+                .append(getUri(), compared.getUri())
+                .append(getValues(), compared.getValues())
+                .isEquals();
+    }
+
+    @Override
+    public int hashCode() {
+        return new HashCodeBuilder(15, 101)
+                .append(getUri())
+                .append(getValues())
+                .toHashCode();
+    }
+
+    public long getComputationalCost() {
+        return computationalCost;
+    }
+
+    private void adjustComputationCost(CheckType testType) {
+        switch (testType) {
+            case ONE_OF:
+                computationalCost += 100;
+                return;
+            case NOT_ONE_OF:
+                computationalCost += 100;
+                return;
+            case STARTS_WITH:
+                computationalCost += 1000;
+                return;
+            case SPARQL_SELECT_QUERY_CONTAINS:
+                computationalCost += 10000;
+                return;
+            default:
+                return;
+        }
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AccessObjectTypeCheck.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AccessObjectTypeCheck.java
new file mode 100644
index 0000000000..052793d798
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AccessObjectTypeCheck.java
@@ -0,0 +1,36 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.checks;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.Attribute;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSet;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class AccessObjectTypeCheck extends AbstractCheck {
+
+    private static final Log log = LogFactory.getLog(AccessObjectTypeCheck.class);
+
+    public AccessObjectTypeCheck(String uri, AttributeValueSet values) {
+        super(uri, values);
+    }
+
+    @Override
+    public boolean check(AuthorizationRequest ar) {
+        AccessObject ao = ar.getAccessObject();
+        final String inputValue = ao.getType().toString();
+        if (AttributeValueChecker.test(this, ar, inputValue)) {
+            log.debug("Attribute match requested object type '" + inputValue + "'");
+            return true;
+        }
+        log.debug("Attribute don't match requested object type '" + inputValue + "'");
+        return false;
+    }
+
+    @Override
+    public Attribute getAttributeType() {
+        return Attribute.ACCESS_OBJECT_TYPE;
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AccessObjectUriCheck.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AccessObjectUriCheck.java
new file mode 100644
index 0000000000..a814f76b64
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AccessObjectUriCheck.java
@@ -0,0 +1,44 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.checks;
+
+import java.util.Optional;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.Attribute;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSet;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class AccessObjectUriCheck extends AbstractCheck {
+
+    private static final Log log = LogFactory.getLog(AccessObjectUriCheck.class);
+
+    public AccessObjectUriCheck(String uri, AttributeValueSet set) {
+        super(uri, set);
+    }
+
+    @Override
+    public boolean check(AuthorizationRequest ar) {
+        AccessObject ao = ar.getAccessObject();
+        Optional<String> inputValue = ao.getUri();
+        if (!inputValue.isPresent()) {
+            log.debug("Checked access object uri is not present.");
+            return false;
+        }
+        String uri = inputValue.get();
+        if (AttributeValueChecker.test(this, ar, uri)) {
+            log.debug("Attribute match requested '" + uri + "'");
+            return true;
+        }
+        log.debug("Attribute don't match requested '" + uri + "'");
+        return false;
+    }
+
+    @Override
+    public Attribute getAttributeType() {
+        return Attribute.ACCESS_OBJECT_URI;
+    }
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AttributeValueChecker.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AttributeValueChecker.java
new file mode 100644
index 0000000000..b374015904
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AttributeValueChecker.java
@@ -0,0 +1,106 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.checks;
+
+import java.util.Arrays;
+import java.util.List;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSet;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.jena.rdf.model.Model;
+
+public class AttributeValueChecker {
+    private static final Log log = LogFactory.getLog(AttributeValueChecker.class);
+
+    static boolean test(Check attr, AuthorizationRequest ar, String... values) {
+        CheckType testType = attr.getType();
+        switch (testType) {
+            case EQUALS:
+                return equals(attr, values);
+            case NOT_EQUALS:
+                return !equals(attr, values);
+            case ONE_OF:
+                return contains(attr, values);
+            case NOT_ONE_OF:
+                return !contains(attr, values);
+            case STARTS_WITH:
+                return startsWith(attr, values);
+            case SPARQL_SELECT_QUERY_CONTAINS:
+                return sparqlQueryContains(attr, ar, values);
+            default:
+                return false;
+        }
+    }
+
+    private static boolean sparqlQueryContains(Check attr, AuthorizationRequest ar, String[] inputValues) {
+        AttributeValueSet values = attr.getValues();
+        if (!values.containsSingleValue()) {
+            log.error("SparqlQueryContains more than  one value");
+            return false;
+        }
+        String queryTemplate = values.getSingleValue();
+        if (StringUtils.isBlank(queryTemplate)) {
+            log.error("SparqlQueryContains template is empty");
+            return false;
+        }
+        AccessObject ao = ar.getAccessObject();
+        Model m = ao.getStatementOntModel();
+        if (m == null) {
+            log.debug("SparqlQueryContains model is not provided");
+            return false;
+        }
+        List<String> personUris = ar.getEditorUris();
+        if (personUris.isEmpty()) {
+            if (queryTemplate.contains("?personUri")) {
+                log.debug("Subject has no person URIs");
+                return false;
+            } else {
+                personUris.add("");
+            }
+        }
+        List<String> resourceUris = Arrays.asList(ao.getResourceUris());
+        return ProximityChecker.isAnyRelated(m, resourceUris, personUris, queryTemplate);
+    }
+
+    private static boolean contains(Check attr, String... inputValues) {
+        AttributeValueSet values = attr.getValues();
+        for (String inputValue : inputValues) {
+            if (values.contains(inputValue)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    private static boolean equals(Check attr, String... inputValues) {
+        AttributeValueSet values = attr.getValues();
+        if (!values.containsSingleValue()) {
+            return false;
+        }
+        for (String inputValue : inputValues) {
+            if (values.contains(inputValue)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    private static boolean startsWith(Check attr, String... inputValues) {
+        AttributeValueSet values = attr.getValues();
+        if (!values.containsSingleValue()) {
+            return false;
+        }
+        String value = values.getSingleValue();
+        for (String inputValue : inputValues) {
+            if (inputValue != null && inputValue.startsWith(value)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/Check.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/Check.java
new file mode 100644
index 0000000000..99a06bc020
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/Check.java
@@ -0,0 +1,29 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.checks;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.Attribute;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSet;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
+
+public interface Check {
+
+    void setUri(String uri);
+
+    String getUri();
+
+    boolean check(AuthorizationRequest ar);
+
+    Attribute getAttributeType();
+
+    CheckType getType();
+
+    AttributeValueSet getValues();
+
+    void addValue(String value);
+
+    void setType(CheckType valueOf);
+
+    long getComputationalCost();
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/CheckFactory.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/CheckFactory.java
new file mode 100644
index 0000000000..1a18355be8
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/CheckFactory.java
@@ -0,0 +1,73 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.checks;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.Attribute;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueKey;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSet;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.ValueSetFactory;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyLoader;
+import org.apache.jena.query.QuerySolution;
+
+public class CheckFactory {
+
+    public static Check createCheck(QuerySolution qs, AttributeValueKey dataSetKey) {
+        String typeId = qs.getLiteral(PolicyLoader.TYPE_ID).getString();
+        String checkUri = qs.getResource(PolicyLoader.CHECK).getURI();
+        Attribute type = Attribute.valueOf(typeId);
+        String testId = qs.getLiteral("testId").getString();
+        String value = getValue(qs);
+        AttributeValueSet set = ValueSetFactory.create(value, qs, dataSetKey);
+        Check check = null;
+        switch (type) {
+            case SUBJECT_ROLE_URI:
+                check = new SubjectRoleCheck(checkUri, set);
+                break;
+            case OPERATION:
+                check = new OperationCheck(checkUri, set);
+                break;
+            case ACCESS_OBJECT_URI:
+                check = new AccessObjectUriCheck(checkUri, set);
+                break;
+            case ACCESS_OBJECT_TYPE:
+                check = new AccessObjectTypeCheck(checkUri, set);
+                break;
+            case SUBJECT_TYPE:
+                check = new SubjectTypeCheck(checkUri, set);
+                break;
+            case STATEMENT_PREDICATE_URI:
+                check = new StatementPredicateUriCheck(checkUri, set);
+                break;
+            case STATEMENT_SUBJECT_URI:
+                check = new StatementSubjectUriCheck(checkUri, set);
+                break;
+            case STATEMENT_OBJECT_URI:
+                check = new StatementObjectUriCheck(checkUri, set);
+                break;
+            default:
+                check = null;
+        }
+        check.setType(CheckType.valueOf(testId));
+        return check;
+    }
+
+    private static String getValue(QuerySolution qs) {
+        if (!qs.contains(PolicyLoader.LITERAL_VALUE) || !qs.get(PolicyLoader.LITERAL_VALUE).isLiteral()) {
+            String value = qs.getResource(PolicyLoader.ATTR_VALUE).getURI();
+            return value;
+        } else {
+            String value = qs.getLiteral(PolicyLoader.LITERAL_VALUE).toString();
+            return value;
+        }
+    }
+
+    public static void extendAttribute(Check check, QuerySolution qs) throws Exception {
+        String testId = qs.getLiteral("testId").getString();
+        if (CheckType.ONE_OF.toString().equals(testId) || CheckType.NOT_ONE_OF.toString().equals(testId)) {
+            check.addValue(getValue(qs));
+            return;
+        }
+        throw new IllegalArgumentException(
+                String.format("Operator '%s' can't be used in combination with multiple attribute values.", testId));
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/CheckType.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/CheckType.java
new file mode 100644
index 0000000000..3a5bf7fe91
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/CheckType.java
@@ -0,0 +1,12 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.checks;
+
+public enum CheckType {
+    EQUALS,
+    NOT_EQUALS,
+    ONE_OF,
+    NOT_ONE_OF,
+    STARTS_WITH,
+    SPARQL_SELECT_QUERY_CONTAINS
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/OperationCheck.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/OperationCheck.java
new file mode 100644
index 0000000000..7aaeff8a91
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/OperationCheck.java
@@ -0,0 +1,37 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.checks;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.Attribute;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSet;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class OperationCheck extends AbstractCheck {
+
+    private static final Log log = LogFactory.getLog(OperationCheck.class);
+
+    public OperationCheck(String uri, AttributeValueSet values) {
+        super(uri, values);
+    }
+
+    @Override
+    public boolean check(AuthorizationRequest ar) {
+        AccessOperation aop = ar.getAccessOperation();
+        final String inputValue = aop.toString();
+        if (AttributeValueChecker.test(this, ar, inputValue)) {
+            log.debug("Checked operation match requested operation '" + inputValue + "'");
+            return true;
+        }
+        log.debug("Checked operation don't match requested operation '" + inputValue + "'");
+        return false;
+    }
+
+    @Override
+    public Attribute getAttributeType() {
+        return Attribute.OPERATION;
+    }
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/ProximityChecker.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/ProximityChecker.java
new file mode 100644
index 0000000000..14b3306f36
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/ProximityChecker.java
@@ -0,0 +1,75 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.checks;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.jena.query.ParameterizedSparqlString;
+import org.apache.jena.query.Query;
+import org.apache.jena.query.QueryExecution;
+import org.apache.jena.query.QueryExecutionFactory;
+import org.apache.jena.query.QueryFactory;
+import org.apache.jena.query.QuerySolution;
+import org.apache.jena.query.ResultSet;
+import org.apache.jena.rdf.model.Model;
+
+public class ProximityChecker {
+    private static final Log log = LogFactory.getLog(ProximityChecker.class);
+
+    public static boolean isAnyRelated(Model ontModel, List<String> resourceUris, List<String> personUris,
+            String query) {
+        for (String personUri : personUris) {
+            List<String> connectedResourceUris = getRelatedUris(ontModel, personUri, query);
+            for (String connectedResourceUri : connectedResourceUris) {
+                if (resourceUris.contains(connectedResourceUri)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
+    private static List<String> getRelatedUris(Model model, String personUri, String queryTemplate) {
+        HashMap<String, List<String>> queryMap = QueryResultsMapCache.get();
+        String queryMapKey = createQueryMapKey(personUri, queryTemplate);
+        if (queryMap.containsKey(queryMapKey)) {
+            return queryMap.get(queryMapKey);
+        }
+
+        List<String> resourceUris = new ArrayList<>();
+        ParameterizedSparqlString pss = new ParameterizedSparqlString();
+        pss.setCommandText(queryTemplate);
+        pss.setIri("personUri", personUri);
+        String queryText = pss.toString();
+        debug("queryText: " + queryText);
+        Query query = QueryFactory.create(queryText);
+        QueryExecution queryExecution = QueryExecutionFactory.create(query, model);
+        try {
+            ResultSet resultSet = queryExecution.execSelect();
+            while (resultSet.hasNext()) {
+                QuerySolution qs = resultSet.nextSolution();
+                resourceUris.add(qs.getResource("resourceUri").getURI());
+            }
+        } finally {
+            queryExecution.close();
+        }
+        debug("query results: " + resourceUris);
+        queryMap.put(queryMapKey, resourceUris);
+        QueryResultsMapCache.update(queryMap);
+        return resourceUris;
+    }
+
+    private static void debug(String queryText) {
+        if (log.isDebugEnabled()) {
+            log.debug(queryText);
+        }
+    }
+
+    private static String createQueryMapKey(String personUri, String queryTemplate) {
+        return queryTemplate + "." + personUri;
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/QueryResultsMapCache.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/QueryResultsMapCache.java
new file mode 100644
index 0000000000..761131cdbd
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/QueryResultsMapCache.java
@@ -0,0 +1,48 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.checks;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.List;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class QueryResultsMapCache implements AutoCloseable {
+    private static final Log log = LogFactory.getLog(QueryResultsMapCache.class);
+
+    private static ThreadLocal<HashMap<String, List<String>>> threadLocal =
+            new ThreadLocal<HashMap<String, List<String>>>();
+
+    public QueryResultsMapCache() {
+        threadLocal.set(new HashMap<String, List<String>>());
+        log.debug("Query results map cache initialized");
+    }
+
+    @Override
+    public void close() throws IOException {
+        threadLocal.remove();
+        log.debug("QueryResultsMapCache is closed");
+    }
+
+    public static HashMap<String, List<String>> get() {
+        HashMap<String, List<String>> queryResultsMap = threadLocal.get();
+        if (queryResultsMap == null) {
+            queryResultsMap = new HashMap<String, List<String>>();
+            log.debug("Use a non-cached query results map");
+        } else {
+            log.debug("Use cached query results map");
+        }
+        return queryResultsMap;
+    }
+
+    public static void update(HashMap<String, List<String>> queryResultsMap) {
+        if (threadLocal.get() != null) {
+            threadLocal.set(queryResultsMap);
+            log.debug("Query results map cache has been updated");
+        } else {
+            log.debug("Query results map cache has not been updated as it wasn't initialized");
+        }
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/StatementObjectUriCheck.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/StatementObjectUriCheck.java
new file mode 100644
index 0000000000..6c5e9f39d8
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/StatementObjectUriCheck.java
@@ -0,0 +1,37 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.checks;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.Attribute;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSet;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class StatementObjectUriCheck extends AbstractCheck {
+
+    private static final Log log = LogFactory.getLog(StatementObjectUriCheck.class);
+
+    public StatementObjectUriCheck(String uri, AttributeValueSet values) {
+        super(uri, values);
+    }
+
+    @Override
+    public boolean check(AuthorizationRequest ar) {
+        AccessObject ao = ar.getAccessObject();
+        final String inputValue = ao.getStatementObject();
+        if (AttributeValueChecker.test(this, ar, inputValue)) {
+            log.debug("Attribute value match requested statement object uri '" + inputValue + "'");
+            return true;
+        }
+        log.debug("Attribute value don't match requested statement object uri '" + inputValue + "'");
+        return false;
+    }
+
+    @Override
+    public Attribute getAttributeType() {
+        return Attribute.STATEMENT_OBJECT_URI;
+    }
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/StatementPredicateUriCheck.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/StatementPredicateUriCheck.java
new file mode 100644
index 0000000000..002697eea3
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/StatementPredicateUriCheck.java
@@ -0,0 +1,37 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.checks;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.Attribute;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSet;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class StatementPredicateUriCheck extends AbstractCheck {
+
+    private static final Log log = LogFactory.getLog(StatementPredicateUriCheck.class);
+
+    public StatementPredicateUriCheck(String uri, AttributeValueSet values) {
+        super(uri, values);
+    }
+
+    @Override
+    public boolean check(AuthorizationRequest ar) {
+        AccessObject ao = ar.getAccessObject();
+        final String inputValue = ao.getStatementPredicateUri();
+        if (AttributeValueChecker.test(this, ar, inputValue)) {
+            log.debug("Attribute value match requested statement predicate uri '" + inputValue + "'");
+            return true;
+        }
+        log.debug("Attribute value don't match requested statement predicate uri '" + inputValue + "'");
+        return false;
+    }
+
+    @Override
+    public Attribute getAttributeType() {
+        return Attribute.STATEMENT_PREDICATE_URI;
+    }
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/StatementSubjectUriCheck.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/StatementSubjectUriCheck.java
new file mode 100644
index 0000000000..e181043f9f
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/StatementSubjectUriCheck.java
@@ -0,0 +1,37 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.checks;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.Attribute;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSet;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class StatementSubjectUriCheck extends AbstractCheck {
+
+    private static final Log log = LogFactory.getLog(StatementSubjectUriCheck.class);
+
+    public StatementSubjectUriCheck(String uri, AttributeValueSet values) {
+        super(uri, values);
+    }
+
+    @Override
+    public boolean check(AuthorizationRequest ar) {
+        AccessObject ao = ar.getAccessObject();
+        final String inputValue = ao.getStatementSubject();
+        if (AttributeValueChecker.test(this, ar, inputValue)) {
+            log.debug("Attribute value match requested statement subject uri '" + inputValue + "'");
+            return true;
+        }
+        log.debug("Attribute value don't match requested statement subject uri '" + inputValue + "'");
+        return false;
+    }
+
+    @Override
+    public Attribute getAttributeType() {
+        return Attribute.STATEMENT_SUBJECT_URI;
+    }
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/SubjectRoleCheck.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/SubjectRoleCheck.java
new file mode 100644
index 0000000000..ca5cd89ac1
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/SubjectRoleCheck.java
@@ -0,0 +1,37 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.checks;
+
+import java.util.List;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.Attribute;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSet;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class SubjectRoleCheck extends AbstractCheck {
+
+    private static final Log log = LogFactory.getLog(SubjectRoleCheck.class);
+
+    public SubjectRoleCheck(String uri, AttributeValueSet values) {
+        super(uri, values);
+    }
+
+    @Override
+    public boolean check(AuthorizationRequest ar) {
+        final List<String> inputValues = ar.getRoleUris();
+        if (AttributeValueChecker.test(this, ar, inputValues.toArray(new String[0]))) {
+            log.debug("Attribute match requested '" + inputValues + "'");
+            return true;
+        }
+        log.debug("Attribute don't match requested '" + inputValues + "'");
+        return false;
+    }
+
+    @Override
+    public Attribute getAttributeType() {
+        return Attribute.SUBJECT_ROLE_URI;
+    }
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/SubjectTypeCheck.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/SubjectTypeCheck.java
new file mode 100644
index 0000000000..8cada0556d
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/SubjectTypeCheck.java
@@ -0,0 +1,38 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.checks;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.Attribute;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSet;
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.IsRootUser;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class SubjectTypeCheck extends AbstractCheck {
+
+    private static final Log log = LogFactory.getLog(SubjectTypeCheck.class);
+
+    public SubjectTypeCheck(String uri, AttributeValueSet values) {
+        super(uri, values);
+    }
+
+    @Override
+    public boolean check(AuthorizationRequest ar) {
+        IdentifierBundle ac_subject = ar.getIds();
+        String inputValue = IsRootUser.isRootUser(ac_subject) ? "ROOT_USER" : "";
+        if (AttributeValueChecker.test(this, ar, inputValue)) {
+            log.debug("Attribute subject type match requested object type '");
+            return true;
+        } else {
+            log.debug("Attribute subject type don't match requested object type '");
+            return false;
+        }
+    }
+
+    @Override
+    public Attribute getAttributeType() {
+        return Attribute.SUBJECT_TYPE;
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/ActiveIdentifierBundleFactories.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/ActiveIdentifierBundleFactories.java
index 1c88ee07cc..85ee992303 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/ActiveIdentifierBundleFactories.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/ActiveIdentifierBundleFactories.java
@@ -5,8 +5,6 @@
 import java.util.ArrayList;
 import java.util.List;
 
-import javax.servlet.ServletContext;
-import javax.servlet.ServletContextEvent;
 import javax.servlet.http.HttpServletRequest;
 
 import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
@@ -15,9 +13,19 @@
  * Keep a list of the active IdentifierBundleFactories in the context.
  */
 public class ActiveIdentifierBundleFactories {
-	private static final String ATTRIBUTE_ACTIVE_FACTORIES = ActiveIdentifierBundleFactories.class
-			.getName();
-
+    
+    private static ActiveIdentifierBundleFactories INSTANCE = new ActiveIdentifierBundleFactories();
+    
+    private final List<IdentifierBundleFactory> factories = new ArrayList<IdentifierBundleFactory>();
+
+    private ActiveIdentifierBundleFactories() {
+        INSTANCE = this;
+    }
+    
+    public static ActiveIdentifierBundleFactories getInstance() {
+        return INSTANCE;
+    }
+    
 	// ----------------------------------------------------------------------
 	// static methods
 	// ----------------------------------------------------------------------
@@ -25,40 +33,20 @@ public class ActiveIdentifierBundleFactories {
 	/**
 	 * Add a new IdentifierBundleFactory to the list.
 	 */
-	public static void addFactory(ServletContextEvent sce,
-			IdentifierBundleFactory factory) {
-		if (sce == null) {
-			throw new NullPointerException("sce may not be null.");
-		}
-		if (factory == null) {
-			throw new NullPointerException("factory may not be null.");
-		}
-
-		addFactory(sce.getServletContext(), factory);
-	}
-
-	/**
-	 * Add a new IdentifierBundleFactory to the list.
-	 */
-	public static void addFactory(ServletContext ctx,
-			IdentifierBundleFactory factory) {
-		if (ctx == null) {
-			throw new NullPointerException("ctx may not be null.");
-		}
+	public static void addFactory(IdentifierBundleFactory factory) {
 		if (factory == null) {
 			throw new NullPointerException("factory may not be null.");
 		}
-
-		getActiveFactories(ctx).addFactory(factory);
+		INSTANCE.factories.add(factory);
 	}
 
 	/**
 	 * Just for diagnostics. Don't expose the factories themselves, only their
 	 * names.
 	 */
-	public static List<String> getFactoryNames(ServletContext ctx) {
+	public static List<String> getFactoryNames() {
 		List<String> names = new ArrayList<String>();
-		ActiveIdentifierBundleFactories actFact = getActiveFactories(ctx);
+		ActiveIdentifierBundleFactories actFact = ActiveIdentifierBundleFactories.getInstance();
 		for (IdentifierBundleFactory factory : actFact.factories) {
 			names.add(factory.toString());
 		}
@@ -74,66 +62,20 @@ public static List<String> getFactoryNames(ServletContext ctx) {
 	 * request.
 	 */
 	static IdentifierBundle getIdentifierBundle(HttpServletRequest request) {
-		return getActiveFactories(request).getBundleForRequest(request);
+		return ActiveIdentifierBundleFactories.getInstance().getBundleForRequest(request);
 	}
 
 	/**
 	 * Get the Identifiers that would be created if this user were to log in.
 	 */
-	public static IdentifierBundle getUserIdentifierBundle(
-			HttpServletRequest request, UserAccount userAccount) {
-		return getActiveFactories(request).getBundleForUser(userAccount);
-	}
-
-	/**
-	 * Get the singleton instance from the servlet context. If there isn't one,
-	 * create one. This never returns null.
-	 */
-	private static ActiveIdentifierBundleFactories getActiveFactories(
-			HttpServletRequest req) {
-		if (req == null) {
-			throw new NullPointerException("req may not be null.");
-		}
-
-		return getActiveFactories(req.getSession().getServletContext());
-	}
-
-	/**
-	 * Get the singleton instance from the servlet context. If there isn't one,
-	 * create one. This never returns null.
-	 */
-	private static ActiveIdentifierBundleFactories getActiveFactories(
-			ServletContext ctx) {
-		if (ctx == null) {
-			throw new NullPointerException("ctx may not be null.");
-		}
-
-		Object obj = ctx.getAttribute(ATTRIBUTE_ACTIVE_FACTORIES);
-		if (obj == null) {
-			obj = new ActiveIdentifierBundleFactories();
-			ctx.setAttribute(ATTRIBUTE_ACTIVE_FACTORIES, obj);
-		}
-
-		if (!(obj instanceof ActiveIdentifierBundleFactories)) {
-			throw new IllegalStateException("Expected to find an instance of "
-					+ ActiveIdentifierBundleFactories.class.getName()
-					+ " in the context, but found an instance of "
-					+ obj.getClass().getName() + " instead.");
-		}
-
-		return (ActiveIdentifierBundleFactories) obj;
+	public static IdentifierBundle getUserIdentifierBundle(UserAccount userAccount) {
+		return ActiveIdentifierBundleFactories.getInstance().getBundleForUser(userAccount);
 	}
 
 	// ----------------------------------------------------------------------
 	// the instance
 	// ----------------------------------------------------------------------
 
-	private final List<IdentifierBundleFactory> factories = new ArrayList<IdentifierBundleFactory>();
-
-	private void addFactory(IdentifierBundleFactory factory) {
-		factories.add(factory);
-	}
-
 	/**
 	 * Run through the active factories and get all Identifiers for this
 	 * request.
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/HasPermission.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/HasPermission.java
deleted file mode 100644
index 3aa9aeff12..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/HasPermission.java
+++ /dev/null
@@ -1,72 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.identifier.common;
-
-import java.util.Collection;
-import java.util.HashSet;
-import java.util.Set;
-
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.permissions.Permission;
-
-/**
- * The current user has this Permission, through one or more PermissionSets.
- */
-public class HasPermission extends AbstractCommonIdentifier implements
-		Identifier, Comparable<HasPermission> {
-	public static Collection<HasPermission> getIdentifiers(IdentifierBundle ids) {
-		return getIdentifiersForClass(ids, HasPermission.class);
-	}
-
-	public static Collection<Permission> getPermissions(IdentifierBundle ids) {
-		Set<Permission> set = new HashSet<Permission>();
-		for (HasPermission id : getIdentifiers(ids)) {
-			set.add(id.getPermission());
-		}
-		return set;
-	}
-
-	private final Permission permission; // never null
-
-	public HasPermission(Permission permission) {
-		if (permission == null) {
-			throw new NullPointerException("permission may not be null.");
-		}
-		this.permission = permission;
-	}
-
-	public Permission getPermission() {
-		return permission;
-	}
-
-	@Override
-	public String toString() {
-		return "HasPermission[" + permission + "]";
-	}
-
-	@Override
-	public int hashCode() {
-		return permission.hashCode();
-	}
-
-	@Override
-	public boolean equals(Object obj) {
-		if (obj == this) {
-			return true;
-		}
-		if (obj == null) {
-			return false;
-		}
-		if (!(obj instanceof HasPermission)) {
-			return false;
-		}
-		HasPermission that = (HasPermission) obj;
-		return this.permission.equals(that.permission);
-	}
-
-	@Override
-	public int compareTo(HasPermission that) {
-		return this.permission.compareTo(that.permission);
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/HasPermissionSet.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/HasPermissionSet.java
deleted file mode 100644
index cf94e1437c..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/HasPermissionSet.java
+++ /dev/null
@@ -1,81 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.identifier.common;
-
-import java.util.Collection;
-import java.util.HashSet;
-import java.util.Set;
-
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.beans.PermissionSet;
-
-/**
- * The current user has this Permission, through one or more PermissionSets.
- */
-public class HasPermissionSet extends AbstractCommonIdentifier implements
-		Identifier, Comparable<HasPermissionSet> {
-	public static Collection<HasPermissionSet> getIdentifiers(IdentifierBundle ids) {
-		return getIdentifiersForClass(ids, HasPermissionSet.class);
-	}
-
-	public static Collection<PermissionSet> getPermissionSets(IdentifierBundle ids) {
-		Set<PermissionSet> set = new HashSet<>();
-		for (HasPermissionSet id : getIdentifiers(ids)) {
-			set.add(id.getPermissionSet());
-		}
-		return set;
-	}
-
-	public static Collection<String> getPermissionSetUris(IdentifierBundle ids) {
-		Set<String> set = new HashSet<>();
-		for (HasPermissionSet id : getIdentifiers(ids)) {
-			set.add(id.getPermissionSet().getUri());
-		}
-		return set;
-	}
-
-	private final PermissionSet permissionSet; // never null
-
-	public HasPermissionSet(PermissionSet permissionSet) {
-		if (permissionSet == null) {
-			throw new NullPointerException("permissionSet may not be null.");
-		}
-		this.permissionSet = permissionSet;
-	}
-
-	public PermissionSet getPermissionSet() {
-		return permissionSet;
-	}
-
-	@Override
-	public String toString() {
-		return "HasPermissionSet[" + permissionSet.getLabel() + "]";
-	}
-
-	@Override
-	public int hashCode() {
-		return permissionSet.getUri().hashCode();
-	}
-
-	@Override
-	public boolean equals(Object obj) {
-		if (obj == this) {
-			return true;
-		}
-		if (obj == null) {
-			return false;
-		}
-		if (!(obj instanceof HasPermissionSet)) {
-			return false;
-		}
-		HasPermissionSet that = (HasPermissionSet) obj;
-		return this.permissionSet.getUri().equals(that.permissionSet.getUri());
-	}
-
-	@Override
-	public int compareTo(HasPermissionSet that) {
-		return this.permissionSet.getUri().compareTo(
-				that.permissionSet.getUri());
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/IdentifierPermissionSetProvider.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/IdentifierPermissionSetProvider.java
new file mode 100644
index 0000000000..1e26536c8e
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/IdentifierPermissionSetProvider.java
@@ -0,0 +1,80 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.identifier.common;
+
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
+import edu.cornell.mannlib.vitro.webapp.beans.PermissionSet;
+
+/**
+ * The current user has this Permission, through one or more PermissionSets.
+ */
+public class IdentifierPermissionSetProvider extends AbstractCommonIdentifier
+        implements Identifier, Comparable<IdentifierPermissionSetProvider> {
+    public static Collection<IdentifierPermissionSetProvider> getIdentifiers(IdentifierBundle ids) {
+        return getIdentifiersForClass(ids, IdentifierPermissionSetProvider.class);
+    }
+
+    public static Collection<PermissionSet> getPermissionSets(IdentifierBundle ids) {
+        Set<PermissionSet> set = new HashSet<>();
+        for (IdentifierPermissionSetProvider id : getIdentifiers(ids)) {
+            set.add(id.getPermissionSet());
+        }
+        return set;
+    }
+
+    public static Collection<String> getPermissionSetUris(IdentifierBundle ids) {
+        Set<String> set = new HashSet<>();
+        for (IdentifierPermissionSetProvider id : getIdentifiers(ids)) {
+            set.add(id.getPermissionSet().getUri());
+        }
+        return set;
+    }
+
+    private final PermissionSet permissionSet; // never null
+
+    public IdentifierPermissionSetProvider(PermissionSet permissionSet) {
+        if (permissionSet == null) {
+            throw new NullPointerException("permissionSet may not be null.");
+        }
+        this.permissionSet = permissionSet;
+    }
+
+    public PermissionSet getPermissionSet() {
+        return permissionSet;
+    }
+
+    @Override
+    public String toString() {
+        return "HasPermissionSet[" + permissionSet.getLabel() + "]";
+    }
+
+    @Override
+    public int hashCode() {
+        return permissionSet.getUri().hashCode();
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (obj == this) {
+            return true;
+        }
+        if (obj == null) {
+            return false;
+        }
+        if (!(obj instanceof IdentifierPermissionSetProvider)) {
+            return false;
+        }
+        IdentifierPermissionSetProvider that = (IdentifierPermissionSetProvider) obj;
+        return this.permissionSet.getUri().equals(that.permissionSet.getUri());
+    }
+
+    @Override
+    public int compareTo(IdentifierPermissionSetProvider that) {
+        return this.permissionSet.getUri().compareTo(that.permissionSet.getUri());
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/IsBlacklisted.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/IsBlacklisted.java
deleted file mode 100644
index 36275f37bb..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/IsBlacklisted.java
+++ /dev/null
@@ -1,232 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.identifier.common;
-
-import java.io.File;
-import java.io.FileFilter;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.util.Collection;
-import java.util.HashSet;
-import java.util.Set;
-
-import javax.servlet.ServletContext;
-
-import org.apache.commons.lang3.StringUtils;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import org.apache.jena.ontology.OntModel;
-import org.apache.jena.query.Query;
-import org.apache.jena.query.QueryExecution;
-import org.apache.jena.query.QueryExecutionFactory;
-import org.apache.jena.query.QueryFactory;
-import org.apache.jena.query.QuerySolution;
-import org.apache.jena.query.ResultSet;
-import org.apache.jena.rdf.model.RDFNode;
-
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.beans.Individual;
-import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess;
-
-/**
- * The current user is blacklisted for this reason.
- */
-public class IsBlacklisted extends AbstractCommonIdentifier implements
-		Identifier {
-	private static final Log log = LogFactory.getLog(IsBlacklisted.class);
-
-	private final static String BLACKLIST_SPARQL_DIR = "/admin/selfEditBlacklist";
-	private static final String NOT_BLACKLISTED = null;
-
-	// ----------------------------------------------------------------------
-	// static methods
-	// ----------------------------------------------------------------------
-
-	/**
-	 * If this individual is blacklisted, return an appropriate Identifier.
-	 * Otherwise, return null.
-	 */
-	public static IsBlacklisted getInstance(Individual individual,
-			ServletContext context) {
-		if (individual == null) {
-			throw new NullPointerException("individual may not be null.");
-		}
-		if (context == null) {
-			throw new NullPointerException("context may not be null.");
-		}
-
-		String reasonForBlacklisting = checkForBlacklisted(individual, context);
-		IsBlacklisted id = new IsBlacklisted(individual.getURI(),
-				reasonForBlacklisting);
-		if (id.isBlacklisted()) {
-			return id;
-		} else {
-			return null;
-		}
-	}
-
-	/**
-	 * Runs through .sparql files in the BLACKLIST_SPARQL_DIR.
-	 *
-	 * The first that returns one or more rows will be cause the user to be
-	 * blacklisted.
-	 *
-	 * The first variable from the first solution set will be returned.
-	 */
-	private static String checkForBlacklisted(Individual ind,
-			ServletContext context) {
-		String realPath = context.getRealPath(BLACKLIST_SPARQL_DIR);
-		File blacklistDir = new File(realPath);
-		if (!blacklistDir.isDirectory() || !blacklistDir.canRead()) {
-			log.debug("cannot read blacklist directory " + realPath);
-			return NOT_BLACKLISTED;
-		}
-
-		log.debug("checking directlry " + realPath
-				+ " for blacklisting sparql query files");
-		File[] files = blacklistDir.listFiles(new FileFilter() {
-			@Override
-			public boolean accept(File pathname) {
-				return pathname.getName().endsWith(".sparql");
-			}
-		});
-
-		String reasonForBlacklist = NOT_BLACKLISTED;
-		for (File file : files) {
-			try {
-				reasonForBlacklist = runSparqlFileForBlacklist(file, ind,
-						context);
-				if (reasonForBlacklist != NOT_BLACKLISTED)
-					break;
-			} catch (RuntimeException ex) {
-				log.error(
-						"Could not run blacklist check query for file "
-								+ file.getAbsolutePath() + File.separatorChar
-								+ file.getName(), ex);
-			}
-		}
-		return reasonForBlacklist;
-	}
-
-	/**
-	 * Runs the SPARQL query in the file with the uri of the individual
-	 * substituted in.
-	 *
-	 * The URI of ind will be substituted into the query where ever the token
-	 * "?individualURI" is found.
-	 *
-	 * If there are any solution sets, then the URI of the variable named
-	 * "cause" will be returned. Make sure that it is a resource with a URI.
-	 * Otherwise null will be returned.
-	 */
-	private static String runSparqlFileForBlacklist(File file, Individual ind,
-			ServletContext context) {
-		if (!file.canRead()) {
-			log.debug("cannot read blacklisting SPARQL file " + file.getName());
-			return NOT_BLACKLISTED;
-		}
-
-		String queryString = null;
-		FileInputStream fis = null;
-		try {
-			fis = new FileInputStream(file);
-			byte b[] = new byte[fis.available()];
-			fis.read(b);
-			queryString = new String(b);
-		} catch (IOException ioe) {
-			log.debug(ioe);
-			return NOT_BLACKLISTED;
-		} finally {
-			if (fis != null) {
-				try {
-					fis.close();
-				} catch (IOException e) {
-					log.warn("could not close file", e);
-				}
-			}
-		}
-
-		if (StringUtils.isEmpty(queryString)) {
-			log.debug(file.getName() + " is empty");
-			return NOT_BLACKLISTED;
-		}
-
-		OntModel model = ModelAccess.on(context).getOntModel();
-
-		queryString = queryString.replaceAll("\\?individualURI",
-				"<" + ind.getURI() + ">");
-		log.debug(queryString);
-
-		Query query = QueryFactory.create(queryString);
-		QueryExecution qexec = QueryExecutionFactory.create(query, model);
-		try {
-			ResultSet results = qexec.execSelect();
-			while (results.hasNext()) {
-				QuerySolution solution = results.nextSolution();
-				if (solution.contains("cause")) {
-					RDFNode node = solution.get("cause");
-					if (node.isResource()) {
-						return node.asResource().getURI();
-					} else if (node.isLiteral()) {
-						return node.asLiteral().getString();
-					}
-				} else {
-					log.error("Query solution must contain a variable "
-							+ "\"cause\" of type Resource or Literal.");
-					return NOT_BLACKLISTED;
-				}
-			}
-		} finally {
-			qexec.close();
-		}
-		return NOT_BLACKLISTED;
-	}
-
-	public static Collection<IsBlacklisted> getIdentifiers(IdentifierBundle ids) {
-		return getIdentifiersForClass(ids, IsBlacklisted.class);
-	}
-
-	public static Collection<String> getBlacklistReasons(IdentifierBundle ids) {
-		Set<String> set = new HashSet<String>();
-		for (IsBlacklisted id : getIdentifiers(ids)) {
-			if (id.isBlacklisted()) {
-				set.add(id.getReasonForBlacklisting());
-			}
-		}
-		return set;
-	}
-
-	// ----------------------------------------------------------------------
-	// the Identifier
-	// ----------------------------------------------------------------------
-
-	private final String associatedIndividualUri;
-	private final String reasonForBlacklisting;
-
-	public IsBlacklisted(String associatedIndividualUri,
-			String reasonForBlacklisting) {
-		this.associatedIndividualUri = associatedIndividualUri;
-		this.reasonForBlacklisting = reasonForBlacklisting;
-	}
-
-	public String getAssociatedIndividualUri() {
-		return associatedIndividualUri;
-	}
-
-	public boolean isBlacklisted() {
-		return reasonForBlacklisting != NOT_BLACKLISTED;
-	}
-
-	public String getReasonForBlacklisting() {
-		return reasonForBlacklisting;
-	}
-
-	@Override
-	public String toString() {
-		return "IsBlacklisted[" + associatedIndividualUri + ", "
-				+ reasonForBlacklisting + "]";
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/BaseIdentifierBundleFactory.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/BaseIdentifierBundleFactory.java
index 75bd8c119a..be0909d1ce 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/BaseIdentifierBundleFactory.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/BaseIdentifierBundleFactory.java
@@ -2,8 +2,6 @@
 
 package edu.cornell.mannlib.vitro.webapp.auth.identifier.factory;
 
-import javax.servlet.ServletContext;
-
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundleFactory;
 import edu.cornell.mannlib.vitro.webapp.dao.IndividualDao;
 import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess;
@@ -15,17 +13,12 @@
  */
 public abstract class BaseIdentifierBundleFactory implements
 		IdentifierBundleFactory {
-	protected final ServletContext ctx;
 	protected final WebappDaoFactory wdf;
 	protected final UserAccountsDao uaDao;
 	protected final IndividualDao indDao;
 
-	public BaseIdentifierBundleFactory(ServletContext ctx) {
-		if (ctx == null) {
-			throw new NullPointerException("ctx may not be null.");
-		}
-		this.ctx = ctx;
-		this.wdf = ModelAccess.on(ctx).getWebappDaoFactory();
+	public BaseIdentifierBundleFactory() {
+		this.wdf = ModelAccess.getInstance().getWebappDaoFactory();
 		this.uaDao = wdf.getUserAccountsDao();
 		this.indDao = wdf.getIndividualDao();
 	}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/BaseUserBasedIdentifierBundleFactory.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/BaseUserBasedIdentifierBundleFactory.java
index 93aa965036..3aed5afec7 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/BaseUserBasedIdentifierBundleFactory.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/BaseUserBasedIdentifierBundleFactory.java
@@ -2,7 +2,6 @@
 
 package edu.cornell.mannlib.vitro.webapp.auth.identifier.factory;
 
-import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
 
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
@@ -16,10 +15,6 @@
 public abstract class BaseUserBasedIdentifierBundleFactory extends
 		BaseIdentifierBundleFactory implements UserBasedIdentifierBundleFactory {
 
-	public BaseUserBasedIdentifierBundleFactory(ServletContext ctx) {
-		super(ctx);
-	}
-
 	@Override
 	public final IdentifierBundle getIdentifierBundle(HttpServletRequest request) {
 		return getIdentifierBundleForUser(LoginStatusBean
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasPermissionFactory.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasPermissionFactory.java
deleted file mode 100644
index 44d0689d46..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasPermissionFactory.java
+++ /dev/null
@@ -1,90 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.identifier.factory;
-
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-import javax.servlet.ServletContext;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.ArrayIdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasPermission;
-import edu.cornell.mannlib.vitro.webapp.auth.permissions.Permission;
-import edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionRegistry;
-import edu.cornell.mannlib.vitro.webapp.beans.PermissionSet;
-import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
-
-/**
- * Figure out what Permissions the user is entitled to have.
- */
-public class HasPermissionFactory extends BaseUserBasedIdentifierBundleFactory {
-	private static final Log log = LogFactory
-			.getLog(HasPermissionFactory.class);
-
-	public HasPermissionFactory(ServletContext ctx) {
-		super(ctx);
-	}
-
-	@Override
-	public IdentifierBundle getIdentifierBundleForUser(UserAccount user) {
-		if (user == null) {
-			return createPublicPermissions();
-		} else {
-			return createUserPermissions(user);
-		}
-	}
-
-	private IdentifierBundle createPublicPermissions() {
-		Set<String> permissionUris = new HashSet<String>();
-		for (PermissionSet ps : uaDao.getAllPermissionSets()) {
-			if (ps.isForPublic()) {
-				permissionUris.addAll(ps.getPermissionUris());
-			}
-		}
-		log.debug("Permission URIs: " + permissionUris);
-
-		return new ArrayIdentifierBundle(
-				getIdentifiersFromPermissions(getPermissionsForUris(permissionUris)));
-	}
-
-	private IdentifierBundle createUserPermissions(UserAccount user) {
-		Set<String> permissionUris = new HashSet<String>();
-		for (String psUri : user.getPermissionSetUris()) {
-			PermissionSet ps = uaDao.getPermissionSetByUri(psUri);
-			if (ps != null) {
-				permissionUris.addAll(ps.getPermissionUris());
-			}
-		}
-		log.debug("user permission sets: " + user.getPermissionSetUris());
-		log.debug("Permission URIs: " + permissionUris);
-
-		return new ArrayIdentifierBundle(
-				getIdentifiersFromPermissions(getPermissionsForUris(permissionUris)));
-	}
-
-	private Collection<Permission> getPermissionsForUris(
-			Collection<String> permissionUris) {
-		List<Permission> permissions = new ArrayList<Permission>();
-		PermissionRegistry registry = PermissionRegistry.getRegistry(ctx);
-		for (String uri : permissionUris) {
-			permissions.add(registry.getPermission(uri));
-		}
-		return permissions;
-	}
-
-	private List<HasPermission> getIdentifiersFromPermissions(
-			Collection<Permission> permissions) {
-		List<HasPermission> ids = new ArrayList<HasPermission>();
-		for (Permission permission : permissions) {
-			ids.add(new HasPermission(permission));
-		}
-		return ids;
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasPermissionSetFactory.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasPermissionSetFactory.java
index e132251cff..fbcd90783f 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasPermissionSetFactory.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasPermissionSetFactory.java
@@ -2,28 +2,20 @@
 
 package edu.cornell.mannlib.vitro.webapp.auth.identifier.factory;
 
-import javax.servlet.ServletContext;
-
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.ArrayIdentifierBundle;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasPermissionSet;
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.IdentifierPermissionSetProvider;
 import edu.cornell.mannlib.vitro.webapp.beans.PermissionSet;
 import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 
 /**
  * Figure out what PermissionSets the user is entitled to have.
  */
-public class HasPermissionSetFactory extends
-		BaseUserBasedIdentifierBundleFactory {
-	private static final Log log = LogFactory
-			.getLog(HasPermissionFactory.class);
-
-	public HasPermissionSetFactory(ServletContext ctx) {
-		super(ctx);
-	}
+public class HasPermissionSetFactory extends BaseUserBasedIdentifierBundleFactory {
+	private static final Log log = LogFactory.getLog(HasPermissionSetFactory.class);
 
 	@Override
 	public IdentifierBundle getIdentifierBundleForUser(UserAccount user) {
@@ -32,7 +24,7 @@ public IdentifierBundle getIdentifierBundleForUser(UserAccount user) {
 			for (String psUri : user.getPermissionSetUris()) {
 				PermissionSet ps = uaDao.getPermissionSetByUri(psUri);
 				if (ps != null) {
-					ids.add(new HasPermissionSet(ps));
+					ids.add(new IdentifierPermissionSetProvider(ps));
 				}
 			}
 		}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasProfileFactory.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasProfileFactory.java
new file mode 100644
index 0000000000..65544f65f8
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasProfileFactory.java
@@ -0,0 +1,51 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.identifier.factory;
+
+import java.util.ArrayList;
+import java.util.Collection;
+
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.ArrayIdentifierBundle;
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasProfile;
+import edu.cornell.mannlib.vitro.webapp.beans.Individual;
+import edu.cornell.mannlib.vitro.webapp.beans.SelfEditingConfiguration;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * Find all of the individuals that are associated with the current user and create HasAssociatedIndividual for each
+ * one.
+ */
+public class HasProfileFactory extends BaseUserBasedIdentifierBundleFactory {
+    private static final Log log = LogFactory.getLog(HasProfileFactory.class);
+
+    @Override
+    public IdentifierBundle getIdentifierBundleForUser(UserAccount user) {
+        ArrayIdentifierBundle ids = new ArrayIdentifierBundle();
+
+        for (Individual ind : getAssociatedIndividuals(user)) {
+            ids.add(new HasProfile(ind.getURI()));
+        }
+
+        return ids;
+    }
+
+    /**
+     * Get all Individuals associated with the current user as SELF.
+     */
+    private Collection<Individual> getAssociatedIndividuals(UserAccount user) {
+        Collection<Individual> individuals = new ArrayList<Individual>();
+
+        if (user == null) {
+            log.debug("No Associated Individuals: not logged in.");
+            return individuals;
+        }
+
+        SelfEditingConfiguration sec = SelfEditingConfiguration.getInstance();
+        individuals.addAll(sec.getAssociatedIndividuals(indDao, user));
+
+        return individuals;
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasProfileOrIsBlacklistedFactory.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasProfileOrIsBlacklistedFactory.java
deleted file mode 100644
index 674c795627..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasProfileOrIsBlacklistedFactory.java
+++ /dev/null
@@ -1,68 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.identifier.factory;
-
-import java.util.ArrayList;
-import java.util.Collection;
-
-import javax.servlet.ServletContext;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.ArrayIdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasProfile;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.IsBlacklisted;
-import edu.cornell.mannlib.vitro.webapp.beans.Individual;
-import edu.cornell.mannlib.vitro.webapp.beans.SelfEditingConfiguration;
-import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
-
-/**
- * Find all of the individuals that are associated with the current user, and
- * create either an IsBlacklisted or HasAssociatedIndividual for each one.
- */
-public class HasProfileOrIsBlacklistedFactory extends
-		BaseUserBasedIdentifierBundleFactory {
-	private static final Log log = LogFactory
-			.getLog(HasProfileOrIsBlacklistedFactory.class);
-
-	public HasProfileOrIsBlacklistedFactory(ServletContext ctx) {
-		super(ctx);
-	}
-
-	@Override
-	public IdentifierBundle getIdentifierBundleForUser(UserAccount user) {
-		ArrayIdentifierBundle ids = new ArrayIdentifierBundle();
-
-		for (Individual ind : getAssociatedIndividuals(user)) {
-			// If they are blacklisted, this factory will return an identifier
-			Identifier id = IsBlacklisted.getInstance(ind, ctx);
-			if (id != null) {
-				ids.add(id);
-			} else {
-				ids.add(new HasProfile(ind.getURI()));
-			}
-		}
-
-		return ids;
-	}
-
-	/**
-	 * Get all Individuals associated with the current user as SELF.
-	 */
-	private Collection<Individual> getAssociatedIndividuals(UserAccount user) {
-		Collection<Individual> individuals = new ArrayList<Individual>();
-
-		if (user == null) {
-			log.debug("No Associated Individuals: not logged in.");
-			return individuals;
-		}
-
-		SelfEditingConfiguration sec = SelfEditingConfiguration.getBean(ctx);
-		individuals.addAll(sec.getAssociatedIndividuals(indDao, user));
-
-		return individuals;
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasProxyEditingRightsFactory.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasProxyEditingRightsFactory.java
index c126bcb91e..718f9cbb64 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasProxyEditingRightsFactory.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasProxyEditingRightsFactory.java
@@ -2,8 +2,6 @@
 
 package edu.cornell.mannlib.vitro.webapp.auth.identifier.factory;
 
-import javax.servlet.ServletContext;
-
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.ArrayIdentifierBundle;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasProxyEditingRights;
@@ -15,10 +13,6 @@
 public class HasProxyEditingRightsFactory extends
 		BaseUserBasedIdentifierBundleFactory {
 
-	public HasProxyEditingRightsFactory(ServletContext ctx) {
-		super(ctx);
-	}
-
 	@Override
 	public IdentifierBundle getIdentifierBundleForUser(UserAccount user) {
 		ArrayIdentifierBundle ids = new ArrayIdentifierBundle();
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/IsRootUserFactory.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/IsRootUserFactory.java
index 9767b2f2ea..fa8df2fe74 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/IsRootUserFactory.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/IsRootUserFactory.java
@@ -2,8 +2,6 @@
 
 package edu.cornell.mannlib.vitro.webapp.auth.identifier.factory;
 
-import javax.servlet.ServletContext;
-
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.ArrayIdentifierBundle;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.IsRootUser;
@@ -14,10 +12,6 @@
  */
 public class IsRootUserFactory extends BaseUserBasedIdentifierBundleFactory {
 
-	public IsRootUserFactory(ServletContext ctx) {
-		super(ctx);
-	}
-
 	@Override
 	public IdentifierBundle getIdentifierBundleForUser(UserAccount user) {
 		if ((user != null) && user.isRootUser()) {
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/IsUserFactory.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/IsUserFactory.java
index d1d60ea9e5..67b935a1dd 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/IsUserFactory.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/IsUserFactory.java
@@ -2,8 +2,6 @@
 
 package edu.cornell.mannlib.vitro.webapp.auth.identifier.factory;
 
-import javax.servlet.ServletContext;
-
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.ArrayIdentifierBundle;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.IsUser;
@@ -14,10 +12,6 @@
  */
 public class IsUserFactory extends BaseUserBasedIdentifierBundleFactory {
 
-	public IsUserFactory(ServletContext ctx) {
-		super(ctx);
-	}
-
 	@Override
 	public IdentifierBundle getIdentifierBundleForUser(UserAccount user) {
 		if (user == null) {
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/AccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/AccessObject.java
new file mode 100644
index 0000000000..32e003cd5e
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/AccessObject.java
@@ -0,0 +1,119 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.objects;
+
+import java.util.Optional;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
+import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
+import edu.cornell.mannlib.vitro.webapp.beans.Property;
+import org.apache.jena.rdf.model.Model;
+
+public abstract class AccessObject {
+
+    public static String SOME_URI = "?SOME_URI";
+    public static Property SOME_PREDICATE = new Property(SOME_URI);
+    public static String SOME_LITERAL = "?SOME_LITERAL";
+
+    protected AccessObjectStatement statement;
+    private DataProperty dataProperty;
+    private ObjectProperty objectProperty;
+
+    public Optional<ObjectProperty> getObjectProperty() {
+        if (objectProperty != null) {
+            return Optional.of(objectProperty);
+        }
+        return Optional.empty();
+    }
+
+    public void setObjectProperty(ObjectProperty objectProperty) {
+        this.objectProperty = objectProperty;
+    }
+
+    public Optional<String> getUri() {
+        return Optional.empty();
+    }
+
+    public abstract AccessObjectType getType();
+
+    public Optional<AccessObjectStatement> getStatement() {
+        if (statement == null) {
+            return Optional.empty();
+        }
+        return Optional.of(statement);
+    };
+
+    protected void initializeStatement() {
+        if (statement == null) {
+            statement = new AccessObjectStatement();
+        }
+    }
+
+    public void setStatementOntModel(Model ontModel) {
+        initializeStatement();
+        statement.setModel(ontModel);
+    }
+
+    public Model getStatementOntModel() {
+        if (statement != null) {
+            return statement.getModel();
+        }
+        return null;
+    }
+
+    public void setStatementSubject(String subject) {
+        initializeStatement();
+        statement.setSubject(subject);
+    }
+
+    public String getStatementSubject() {
+        initializeStatement();
+        return statement.getSubject();
+    }
+
+    public void setStatementPredicate(Property predicate) {
+        initializeStatement();
+        statement.setPredicate(predicate);
+    }
+
+    protected Property getPredicate() {
+        initializeStatement();
+        return statement.getPredicate();
+    }
+
+    public String getStatementPredicateUri() {
+        if (statement == null || statement.getPredicate() == null) {
+            return null;
+        }
+        Property predicate = getPredicate();
+        return predicate.getURI();
+    }
+
+    public void setStatementObject(String objectUri) {
+        initializeStatement();
+        this.statement.setObject(objectUri);
+    }
+
+    public String getStatementObject() {
+        initializeStatement();
+        return statement.getObject();
+    }
+
+    public Optional<DataProperty> getDataProperty() {
+        if (dataProperty == null) {
+            return Optional.empty();
+        }
+        return Optional.of(dataProperty);
+    }
+
+    public void setDataProperty(DataProperty dataProperty) {
+        this.dataProperty = dataProperty;
+    }
+
+    public String[] getResourceUris() {
+        initializeStatement();
+        return statement.getResourceUris(getType());
+    }
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/AccessObjectStatement.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/AccessObjectStatement.java
new file mode 100644
index 0000000000..91872cd146
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/AccessObjectStatement.java
@@ -0,0 +1,62 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.objects;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.beans.Property;
+import org.apache.jena.rdf.model.Model;
+
+public class AccessObjectStatement {
+
+    private Model model = null;
+    private String subject = null;
+    private Property predicate = null;
+    private String object = null;
+
+    public Model getModel() {
+        return model;
+    }
+
+    public void setModel(Model model) {
+        this.model = model;
+    }
+
+    public String getSubject() {
+        return subject;
+    }
+
+    public void setSubject(String subject) {
+        this.subject = subject;
+    }
+
+    public Property getPredicate() {
+        return predicate;
+    }
+
+    public void setPredicate(Property predicate) {
+        this.predicate = predicate;
+    }
+
+    public String getObject() {
+        return object;
+    }
+
+    public void setObject(String object) {
+        this.object = object;
+    }
+
+    public String[] getResourceUris(AccessObjectType type) {
+        switch (type) {
+            case DATA_PROPERTY_STATEMENT:
+                return new String[] { getSubject() };
+            case OBJECT_PROPERTY_STATEMENT:
+                return new String[] { getSubject(), getObject() };
+            case FAUX_DATA_PROPERTY_STATEMENT:
+                return new String[] { getSubject(), getObject() };
+            case FAUX_OBJECT_PROPERTY_STATEMENT:
+                return new String[] { getSubject(), getObject() };
+            default:
+                return new String[0];
+        }
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/DataPropertyAccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/DataPropertyAccessObject.java
new file mode 100644
index 0000000000..785dfce319
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/DataPropertyAccessObject.java
@@ -0,0 +1,58 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.objects;
+
+import java.util.Optional;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
+import edu.cornell.mannlib.vitro.webapp.web.templatemodels.individual.FauxDataPropertyWrapper;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class DataPropertyAccessObject extends AccessObject {
+
+    private static final Log log = LogFactory.getLog(DataPropertyAccessObject.class);
+
+    public DataPropertyAccessObject(DataProperty dataProperty) {
+        setDataProperty(dataProperty);
+        debug(dataProperty);
+    }
+
+    @Override
+    public Optional<String> getUri() {
+        Optional<DataProperty> dp = getDataProperty();
+        if (dp.isPresent()) {
+            String uri = dp.get().getURI();
+            if (uri == null) {
+                return Optional.empty();
+            }
+            return Optional.of(uri);
+        }
+        return Optional.empty();
+    }
+
+    @Override
+    public AccessObjectType getType() {
+        return AccessObjectType.DATA_PROPERTY;
+    }
+
+    @Override
+    public String toString() {
+        Optional<DataProperty> dp = getDataProperty();
+        return getClass().getSimpleName() + ": " + (!dp.isPresent() ? "not present" : dp.get().getURI());
+    }
+
+    private void debug(DataProperty dataProperty) {
+        if (dataProperty instanceof FauxDataPropertyWrapper) {
+            Throwable t = new Throwable();
+            log.error("FauxDataPropertyWrapper provided in DataPropertyAccessObject constructor");
+            log.error(t, t);
+        }
+        if (dataProperty == null) {
+            Throwable t = new Throwable();
+            log.error("null provided in DataPropertyAccessObject constructor");
+            log.error(t, t);
+        }
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/DataPropertyStatementAccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/DataPropertyStatementAccessObject.java
new file mode 100644
index 0000000000..644b71e116
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/DataPropertyStatementAccessObject.java
@@ -0,0 +1,51 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.objects;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
+import edu.cornell.mannlib.vitro.webapp.beans.Property;
+import org.apache.jena.ontology.OntModel;
+
+/**
+ * A base class for requested actions that involve adding, editing, or dropping
+ * data property statements from a model.
+ */
+public class DataPropertyStatementAccessObject extends AccessObject {
+
+    public DataPropertyStatementAccessObject(OntModel ontModel, String subjectUri, String predicateUri,
+            String dataValue) {
+        setStatementOntModel(ontModel);
+        setStatementSubject(subjectUri);
+        setStatementPredicate(new Property(predicateUri));
+        setStatementObject(dataValue);
+
+    }
+
+    public DataPropertyStatementAccessObject(OntModel ontModel, String subjectUri, Property predicate,
+            String dataValue) {
+        setStatementOntModel(ontModel);
+        setStatementSubject(subjectUri);
+        setStatementPredicate(predicate);
+        setStatementObject(dataValue);
+
+    }
+
+    public DataPropertyStatementAccessObject(OntModel ontModel, DataPropertyStatement dps) {
+        setStatementOntModel(ontModel);
+        setStatementSubject((dps.getIndividual() == null) ? dps.getIndividualURI() : dps.getIndividual().getURI());
+        setStatementPredicate(new Property(dps.getDatapropURI()));
+        setStatementObject(dps.getData());
+    }
+
+    @Override
+    public String toString() {
+        return getClass().getSimpleName() + ": <" + getStatementSubject() + "> <" + getStatementPredicateUri() + "> <"
+                + getStatementObject() + ">";
+    }
+
+    @Override
+    public AccessObjectType getType() {
+        return AccessObjectType.DATA_PROPERTY_STATEMENT;
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxDataPropertyAccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxDataPropertyAccessObject.java
new file mode 100644
index 0000000000..d7c3f7a070
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxDataPropertyAccessObject.java
@@ -0,0 +1,52 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.objects;
+
+import java.util.Optional;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
+import edu.cornell.mannlib.vitro.webapp.web.templatemodels.individual.FauxDataPropertyWrapper;
+
+public class FauxDataPropertyAccessObject extends AccessObject {
+
+    public FauxDataPropertyAccessObject(DataProperty dataProperty) {
+        setDataProperty(dataProperty);
+    }
+
+    @Override
+    public AccessObjectType getType() {
+        return AccessObjectType.FAUX_DATA_PROPERTY;
+    }
+
+    @Override
+    public Optional<String> getUri() {
+        Optional<DataProperty> dp = getDataProperty();
+        if (!dp.isPresent()) {
+            return Optional.empty();
+        }
+        DataProperty property = dp.get();
+        if (property instanceof FauxDataPropertyWrapper) {
+            String uri = ((FauxDataPropertyWrapper) property).getConfigUri();
+            if (uri == null) {
+                return Optional.empty();
+            }
+            return Optional.of(uri);
+        }
+        String uri = property.getURI();
+        if (uri == null) {
+            return Optional.empty();
+        }
+        return Optional.of(uri);
+    }
+
+    @Override
+    public String toString() {
+        Optional<DataProperty> dp = getDataProperty();
+        DataProperty property = dp.get();
+        if (property instanceof FauxDataPropertyWrapper) {
+            return getClass().getSimpleName() + ": " + ((FauxDataPropertyWrapper) property).getConfigUri();
+        }
+        return getClass().getSimpleName() + ": " + (!dp.isPresent() ? "not present" : dp.get().getURI());
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxDataPropertyStatementAccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxDataPropertyStatementAccessObject.java
new file mode 100644
index 0000000000..61dbfcfd1e
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxDataPropertyStatementAccessObject.java
@@ -0,0 +1,36 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.objects;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.beans.FauxProperty;
+import org.apache.jena.ontology.OntModel;
+
+public class FauxDataPropertyStatementAccessObject extends AccessObject {
+
+    private FauxProperty predicate;
+
+    public FauxDataPropertyStatementAccessObject(OntModel ontModel, String subjectUri, FauxProperty predicate,
+            String dataValue) {
+        setStatementOntModel(ontModel);
+        setStatementSubject(subjectUri);
+        this.predicate = predicate;
+        setStatementObject(dataValue);
+    }
+
+    @Override
+    public AccessObjectType getType() {
+        return AccessObjectType.FAUX_DATA_PROPERTY_STATEMENT;
+    }
+
+    @Override
+    public String getStatementPredicateUri() {
+        return predicate.getConfigUri();
+    }
+
+    @Override
+    public String toString() {
+        return getClass().getSimpleName() + ": <" + getStatementSubject() + "> <" + predicate.getConfigUri() + "> <"
+                + getStatementObject() + ">";
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxObjectPropertyAccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxObjectPropertyAccessObject.java
new file mode 100644
index 0000000000..5513c48873
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxObjectPropertyAccessObject.java
@@ -0,0 +1,54 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.objects;
+
+import java.util.Optional;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
+import edu.cornell.mannlib.vitro.webapp.web.templatemodels.individual.FauxObjectPropertyWrapper;
+
+public class FauxObjectPropertyAccessObject extends AccessObject {
+
+    public FauxObjectPropertyAccessObject(ObjectProperty objectProperty) {
+        setObjectProperty(objectProperty);
+    }
+
+    @Override
+    public AccessObjectType getType() {
+        return AccessObjectType.FAUX_OBJECT_PROPERTY;
+    }
+
+    public Optional<String> getUri() {
+        Optional<ObjectProperty> op = getObjectProperty();
+        if (!op.isPresent()) {
+            return Optional.empty();
+        }
+        ObjectProperty property = op.get();
+        if (property instanceof FauxObjectPropertyWrapper) {
+            String uri = ((FauxObjectPropertyWrapper) property).getConfigUri();
+            if (uri == null) {
+                return Optional.empty();
+            }
+            return Optional.of(uri);
+        }
+        String uri = property.getURI();
+        if (uri == null) {
+            return Optional.empty();
+        }
+        return Optional.of(uri);
+    }
+
+    @Override
+    public String toString() {
+        Optional<ObjectProperty> op = getObjectProperty();
+        if (!op.isPresent()) {
+            return getClass().getSimpleName() + ": Object property is not present.";
+        }
+        ObjectProperty property = op.get();
+        if (property instanceof FauxObjectPropertyWrapper) {
+            return getClass().getSimpleName() + ": " + ((FauxObjectPropertyWrapper) property).getConfigUri();
+        }
+        return getClass().getSimpleName() + ": " + (property == null ? "not present." : property.getURI());
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxObjectPropertyStatementAccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxObjectPropertyStatementAccessObject.java
new file mode 100644
index 0000000000..186a00505f
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxObjectPropertyStatementAccessObject.java
@@ -0,0 +1,36 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.objects;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.beans.FauxProperty;
+import org.apache.jena.rdf.model.Model;
+
+public class FauxObjectPropertyStatementAccessObject extends AccessObject {
+
+    private FauxProperty predicate;
+
+    public FauxObjectPropertyStatementAccessObject(Model ontModel, String subjectUri, FauxProperty fauxProperty,
+            String objectUri) {
+        setStatementOntModel(ontModel);
+        setStatementSubject(subjectUri);
+        predicate = fauxProperty;
+        setStatementObject(objectUri);
+    }
+
+    @Override
+    public AccessObjectType getType() {
+        return AccessObjectType.FAUX_OBJECT_PROPERTY_STATEMENT;
+    }
+
+    @Override
+    public String getStatementPredicateUri() {
+        return predicate.getConfigUri();
+    }
+
+    @Override
+    public String toString() {
+        return getClass().getSimpleName() + ": <" + getStatementSubject() + "> <" + predicate.getConfigUri() + "> <"
+                + getStatementObject() + ">";
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/NamedAccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/NamedAccessObject.java
new file mode 100644
index 0000000000..8b9f025ac9
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/NamedAccessObject.java
@@ -0,0 +1,71 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.objects;
+
+import java.util.Optional;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+
+/**
+ * A NamedAccessObject to be used for SimplePermission.
+ */
+public class NamedAccessObject extends AccessObject {
+    private final String uri;
+    private AccessObjectType type;
+
+    public NamedAccessObject() {
+        this.uri = "";
+        this.type = AccessObjectType.NAMED_OBJECT;
+    }
+
+    public NamedAccessObject(String uri, AccessObjectType type) {
+        this.uri = uri;
+        this.type = type;
+    }
+
+    public NamedAccessObject(String uri) {
+        this.uri = uri;
+        this.type = AccessObjectType.NAMED_OBJECT;
+    }
+
+    @Override
+    public Optional<String> getUri() {
+        if (uri == null) {
+            return Optional.empty();
+        }
+        return Optional.of(uri);
+    }
+
+    @Override
+    public int hashCode() {
+        return uri.hashCode();
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (o instanceof NamedAccessObject) {
+            NamedAccessObject that = (NamedAccessObject) o;
+            return equivalent(this.uri, that.uri);
+        }
+        return false;
+    }
+
+    private boolean equivalent(Object o1, Object o2) {
+        return (o1 == null) ? (o2 == null) : o1.equals(o2);
+    }
+
+    @Override
+    public String toString() {
+        return getShortName(uri);
+    }
+
+    @Override
+    public AccessObjectType getType() {
+        return type;
+    }
+
+    private static String getShortName(String entityUri) {
+        return entityUri.substring(entityUri.lastIndexOf('#') + 1);
+    }
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/ObjectPropertyAccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/ObjectPropertyAccessObject.java
new file mode 100644
index 0000000000..bfa94ddff6
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/ObjectPropertyAccessObject.java
@@ -0,0 +1,58 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.objects;
+
+import java.util.Optional;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
+import edu.cornell.mannlib.vitro.webapp.web.templatemodels.individual.FauxObjectPropertyWrapper;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class ObjectPropertyAccessObject extends AccessObject {
+
+    private static final Log log = LogFactory.getLog(ObjectPropertyAccessObject.class);
+
+    public ObjectPropertyAccessObject(ObjectProperty objectProperty) {
+        setObjectProperty(objectProperty);
+        debug(objectProperty);
+    }
+
+    @Override
+    public Optional<String> getUri() {
+        Optional<ObjectProperty> op = getObjectProperty();
+        if (op.isPresent()) {
+            String uri = op.get().getURI();
+            if (uri == null) {
+                return Optional.empty();
+            }
+            return Optional.of(uri);
+        }
+        return Optional.empty();
+    }
+
+    @Override
+    public AccessObjectType getType() {
+        return AccessObjectType.OBJECT_PROPERTY;
+    }
+
+    @Override
+    public String toString() {
+        Optional<ObjectProperty> op = getObjectProperty();
+        return getClass().getSimpleName() + ": " + (!op.isPresent() ? "not present." : op.get().getURI());
+    }
+
+    private void debug(ObjectProperty property) {
+        if (property instanceof FauxObjectPropertyWrapper) {
+            Throwable t = new Throwable();
+            log.error("FauxObjectPropertyWrapper provided in ObjectPropertyAccessObject constructor");
+            log.error(t, t);
+        }
+        if (property == null) {
+            Throwable t = new Throwable();
+            log.error("null provided in ObjectPropertyAccessObject constructor");
+            log.error(t, t);
+        }
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/ObjectPropertyStatementAccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/ObjectPropertyStatementAccessObject.java
new file mode 100644
index 0000000000..87db9869a2
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/ObjectPropertyStatementAccessObject.java
@@ -0,0 +1,33 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.objects;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.beans.Property;
+import org.apache.jena.rdf.model.Model;
+
+/**
+ * A base class for requested access objects that involve adding, editing, or
+ * deleting object property statements from a model.
+ */
+public class ObjectPropertyStatementAccessObject extends AccessObject {
+
+    public ObjectPropertyStatementAccessObject(Model ontModel, String subjectUri, Property predicate,
+            String objectUri) {
+        setStatementOntModel(ontModel);
+        setStatementSubject(subjectUri);
+        setStatementPredicate(predicate);
+        setStatementObject(objectUri);
+    }
+
+    @Override
+    public AccessObjectType getType() {
+        return AccessObjectType.OBJECT_PROPERTY_STATEMENT;
+    }
+
+    @Override
+    public String toString() {
+        return getClass().getSimpleName() + ": <" + getStatementSubject() + "> <" + getStatementPredicateUri() + "> <"
+                + getStatementObject() + ">";
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/RootAccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/RootAccessObject.java
new file mode 100644
index 0000000000..2bb5108313
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/RootAccessObject.java
@@ -0,0 +1,16 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.objects;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+
+/**
+ * Should we allow the user to edit or delete the root account?
+ */
+public class RootAccessObject extends NamedAccessObject {
+
+    @Override
+    public AccessObjectType getType() {
+        return AccessObjectType.ROOT_USER;
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/BrokenPermission.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/BrokenPermission.java
deleted file mode 100644
index e28d8a3b73..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/BrokenPermission.java
+++ /dev/null
@@ -1,26 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.permissions;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-
-/**
- * This is what the PermissionRegistry hands out if you ask for a Permission
- * that it doesn't know about. Nothing is authorized by this Permission.
- */
-public class BrokenPermission extends Permission {
-	public BrokenPermission(String uri) {
-		super(uri);
-	}
-
-	@Override
-	public boolean isAuthorized(RequestedAction whatToAuth) {
-		return false;
-	}
-
-	@Override
-	public String toString() {
-		return "BrokenPermission[" + uri + "]";
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/DisplayByRolePermission.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/DisplayByRolePermission.java
deleted file mode 100644
index 99cab19d38..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/DisplayByRolePermission.java
+++ /dev/null
@@ -1,127 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.permissions;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionBean;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataProperty;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectProperty;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
-import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-
-/**
- * Is the user authorized to display properties that are marked as restricted to
- * a certain "Role Level"?
- */
-public class DisplayByRolePermission extends Permission {
-	private static final Log log = LogFactory
-			.getLog(DisplayByRolePermission.class);
-
-	public static final String NAMESPACE = "java:"
-			+ DisplayByRolePermission.class.getName() + "#";
-
-	private final String roleName;
-	private final RoleLevel roleLevel;
-
-	public DisplayByRolePermission(String roleName, RoleLevel roleLevel) {
-		super(NAMESPACE + roleName);
-
-		if (roleName == null) {
-			throw new NullPointerException("role may not be null.");
-		}
-		if (roleLevel == null) {
-			throw new NullPointerException("roleLevel may not be null.");
-		}
-
-		this.roleName = roleName;
-		this.roleLevel = roleLevel;
-	}
-
-	@Override
-	public boolean isAuthorized(RequestedAction whatToAuth) {
-		boolean result;
-
-		if (whatToAuth instanceof DisplayDataProperty) {
-			result = isAuthorized((DisplayDataProperty) whatToAuth);
-		} else if (whatToAuth instanceof DisplayObjectProperty) {
-			result = isAuthorized((DisplayObjectProperty) whatToAuth);
-		} else if (whatToAuth instanceof DisplayDataPropertyStatement) {
-			result = isAuthorized((DisplayDataPropertyStatement) whatToAuth);
-		} else if (whatToAuth instanceof DisplayObjectPropertyStatement) {
-			result = isAuthorized((DisplayObjectPropertyStatement) whatToAuth);
-		} else {
-			result = false;
-		}
-
-		if (result) {
-			log.debug(this + " authorizes " + whatToAuth);
-		} else {
-			log.debug(this + " does not authorize " + whatToAuth);
-		}
-
-		return result;
-	}
-
-	/**
-	 * The user may see this data property if they are allowed to see its
-	 * predicate.
-	 */
-	private boolean isAuthorized(DisplayDataProperty action) {
-		String predicateUri = action.getDataProperty().getURI();
-		return canDisplayPredicate(new Property(predicateUri));
-	}
-
-	/**
-	 * The user may see this object property if they are allowed to see its
-	 * predicate.
-	 */
-	private boolean isAuthorized(DisplayObjectProperty action) {
-		return canDisplayPredicate(action.getObjectProperty());
-	}
-
-	/**
-	 * The user may see this data property if they are allowed to see its
-	 * subject and its predicate.
-	 */
-	private boolean isAuthorized(DisplayDataPropertyStatement action) {
-		DataPropertyStatement stmt = action.getDataPropertyStatement();
-		String subjectUri = stmt.getIndividualURI();
-		String predicateUri = stmt.getDatapropURI();
-		return canDisplayResource(subjectUri)
-				&& canDisplayPredicate(new Property(predicateUri));
-	}
-
-	/**
-	 * The user may see this data property if they are allowed to see its
-	 * subject, its predicate, and its object.
-	 */
-	private boolean isAuthorized(DisplayObjectPropertyStatement action) {
-		String subjectUri = action.getSubjectUri();
-		String objectUri = action.getObjectUri();
-		Property op = action.getProperty();
-		return canDisplayResource(subjectUri) && canDisplayPredicate(op)
-				&& canDisplayResource(objectUri);
-	}
-
-	private boolean canDisplayResource(String resourceUri) {
-		return PropertyRestrictionBean.getBean().canDisplayResource(
-				resourceUri, this.roleLevel);
-	}
-
-	private boolean canDisplayPredicate(Property predicate) {
-		return PropertyRestrictionBean.getBean().canDisplayPredicate(predicate,
-				this.roleLevel);
-	}
-
-	@Override
-	public String toString() {
-		return "DisplayByRolePermission['" + roleName + "']";
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/EditByRolePermission.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/EditByRolePermission.java
deleted file mode 100644
index e276f9ace2..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/EditByRolePermission.java
+++ /dev/null
@@ -1,105 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.permissions;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionBean;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractDataPropertyStatementAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyStatementAction;
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-
-/**
- * Is the user authorized to edit properties that are marked as restricted to a
- * certain "Role Level"?
- */
-public class EditByRolePermission extends Permission {
-	private static final Log log = LogFactory
-			.getLog(EditByRolePermission.class);
-
-	public static final String NAMESPACE = "java:"
-			+ EditByRolePermission.class.getName() + "#";
-
-	private final String roleName;
-	private final RoleLevel roleLevel;
-
-	public EditByRolePermission(String roleName, RoleLevel roleLevel) {
-		super(NAMESPACE + roleName);
-
-		if (roleName == null) {
-			throw new NullPointerException("role may not be null.");
-		}
-		if (roleLevel == null) {
-			throw new NullPointerException("roleLevel may not be null.");
-		}
-
-		this.roleName = roleName;
-		this.roleLevel = roleLevel;
-	}
-
-	/**
-	 * If the requested action is to edit a property statement, we might
-	 * authorize it based on their role level.
-	 */
-	@Override
-	public boolean isAuthorized(RequestedAction whatToAuth) {
-		boolean result;
-
-		if (whatToAuth instanceof AbstractDataPropertyStatementAction) {
-			result = isAuthorized((AbstractDataPropertyStatementAction) whatToAuth);
-		} else if (whatToAuth instanceof AbstractObjectPropertyStatementAction) {
-			result = isAuthorized((AbstractObjectPropertyStatementAction) whatToAuth);
-		} else {
-			result = false;
-		}
-
-		if (result) {
-			log.debug(this + " authorizes " + whatToAuth);
-		} else {
-			log.debug(this + " does not authorize " + whatToAuth);
-		}
-
-		return result;
-	}
-
-	/**
-	 * The user may add, edit, or delete this data property if they are allowed
-	 * to modify its subject and its predicate.
-	 */
-	private boolean isAuthorized(AbstractDataPropertyStatementAction action) {
-		String subjectUri = action.getSubjectUri();
-		Property predicate = action.getPredicate();
-		return canModifyResource(subjectUri) && canModifyPredicate(predicate);
-	}
-
-	/**
-	 * The user may add, edit, or delete this data property if they are allowed
-	 * to modify its subject, its predicate, and its object.
-	 */
-	private boolean isAuthorized(AbstractObjectPropertyStatementAction action) {
-		String subjectUri = action.getSubjectUri();
-		Property predicate = action.getPredicate();
-		String objectUri = action.getObjectUri();
-		return canModifyResource(subjectUri) && canModifyPredicate(predicate)
-				&& canModifyResource(objectUri);
-	}
-
-	private boolean canModifyResource(String resourceUri) {
-		return PropertyRestrictionBean.getBean().canModifyResource(resourceUri,
-				roleLevel);
-	}
-
-	private boolean canModifyPredicate(Property predicate) {
-		return PropertyRestrictionBean.getBean().canModifyPredicate(predicate,
-				roleLevel);
-	}
-
-	@Override
-	public String toString() {
-		return "EditByRolePermission['" + roleName + "']";
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/Permission.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/Permission.java
deleted file mode 100644
index fda203fc22..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/Permission.java
+++ /dev/null
@@ -1,76 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.permissions;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-
-/**
- * Interface that describes a unit of authorization, or permission to perform
- * requested actions.
- */
-public abstract class Permission implements Comparable<Permission> {
-	protected final String uri;
-
-	protected Permission(String uri) {
-		if (uri == null) {
-			throw new NullPointerException("uri may not be null.");
-		}
-		this.uri = uri;
-	}
-
-	/**
-	 * Get the URI that identifies this Permission object.
-	 */
-	public String getUri() {
-		return uri;
-	}
-
-	/**
-	 * Is a user with this Permission authorized to perform this
-	 * RequestedAction?
-	 */
-	public abstract boolean isAuthorized(RequestedAction whatToAuth);
-
-	@Override
-	public int compareTo(Permission that) {
-		return this.uri.compareTo(that.uri);
-	}
-
-	@Override
-	public boolean equals(Object obj) {
-		if (obj == this) {
-			return true;
-		}
-		if (obj == null) {
-			return false;
-		}
-		if (!obj.getClass().equals(this.getClass())) {
-			return false;
-		}
-		Permission that = (Permission) obj;
-		return this.uri.equals(that.uri);
-	}
-
-	@Override
-	public int hashCode() {
-		return uri.hashCode();
-	}
-
-	@Override
-	public String toString() {
-		return this.getClass().getSimpleName() + "['" + uri + "']";
-	}
-
-	/**
-	 * A concrete Permission instance that authorizes nothing.
-	 */
-	static Permission NOT_AUTHORIZED = new Permission("java:"
-			+ Permission.class.getName() + "#NOT_AUTHORIZED") {
-
-		@Override
-		public boolean isAuthorized(RequestedAction whatToAuth) {
-			return false;
-		}
-
-	};
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionRegistry.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionRegistry.java
deleted file mode 100644
index fab6cfff62..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionRegistry.java
+++ /dev/null
@@ -1,216 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.permissions;
-
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import javax.servlet.ServletContext;
-import javax.servlet.ServletContextEvent;
-import javax.servlet.ServletContextListener;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
-import edu.cornell.mannlib.vitro.webapp.startup.StartupStatus;
-
-/**
- * A collection of Permission objects, keyed by URI. Resides in the
- * ServletContext.
- *
- * This is not thread-safe, so Permissions should be added only during context
- * initialization.
- */
-public class PermissionRegistry {
-	private static final Log log = LogFactory.getLog(PermissionRegistry.class);
-
-	// ----------------------------------------------------------------------
-	// The factory
-	// ----------------------------------------------------------------------
-
-	private static final String ATTRIBUTE_NAME = PermissionRegistry.class
-			.getName();
-
-	/**
-	 * Has the registry been created yet?
-	 */
-	public static boolean isRegistryCreated(ServletContext ctx) {
-		return ctx.getAttribute(ATTRIBUTE_NAME) instanceof PermissionRegistry;
-	}
-
-	/**
-	 * Create the registry and store it in the context.
-	 */
-	public static void createRegistry(ServletContext ctx,
-			Collection<? extends Permission> permissions) {
-		if (ctx == null) {
-			throw new NullPointerException("ctx may not be null.");
-		}
-		if (permissions == null) {
-			throw new NullPointerException("permissions may not be null.");
-		}
-		if (ctx.getAttribute(ATTRIBUTE_NAME) != null) {
-			throw new IllegalStateException(
-					"PermissionRegistry has already been set.");
-		}
-
-		PermissionRegistry registry = new PermissionRegistry();
-		registry.addPermissions(permissions);
-		ctx.setAttribute(ATTRIBUTE_NAME, registry);
-	}
-
-	/**
-	 * Get the registry from the context. If there isn't one, throw an
-	 * exception.
-	 */
-	public static PermissionRegistry getRegistry(ServletContext ctx) {
-		if (ctx == null) {
-			throw new NullPointerException("ctx may not be null.");
-		}
-
-		Object o = ctx.getAttribute(ATTRIBUTE_NAME);
-		if (o == null) {
-			throw new IllegalStateException(
-					"PermissionRegistry has not been set.");
-		} else if (!(o instanceof PermissionRegistry)) {
-			throw new IllegalStateException("PermissionRegistry was set to an "
-					+ "invalid object: " + o);
-		}
-
-		return (PermissionRegistry) o;
-	}
-
-	// ----------------------------------------------------------------------
-	// The instance
-	// ----------------------------------------------------------------------
-
-	private final Map<String, Permission> map = new HashMap<>();
-
-	/**
-	 * This class is not thread-safe, so permissions should be added only during
-	 * context initialization.
-	 */
-	public void addPermissions(Collection<? extends Permission> permissions) {
-		for (Permission p : permissions) {
-			addPermission(p);
-		}
-	}
-
-	/**
-	 * This class is not thread-safe, so permissions should be added only during
-	 * context initialization.
-	 */
-	public void addPermission(Permission p) {
-		String uri = p.getUri();
-		if (map.containsKey(uri)) {
-			throw new IllegalStateException("A Permission is already "
-					+ "registered with this URI: '" + uri + "'.");
-		}
-		map.put(uri, p);
-	}
-
-	/**
-	 * Is there a Permission registered with this URI?
-	 */
-	public boolean isPermission(String uri) {
-		return map.containsKey(uri);
-	}
-
-	/**
-	 * Get the permission that is registered with this URI. If there is no such
-	 * Permission, return a BrokenPermission that always denies authorization.
-	 *
-	 * If you want to know whether an actual Permission has been registered at
-	 * this URI, call isPermission() instead.
-	 */
-	public Permission getPermission(String uri) {
-		Permission p = map.get(uri);
-		if (p == null) {
-			log.warn("No Permission is registered for '" + uri + "'");
-			return new BrokenPermission(uri);
-		}
-
-		return p;
-	}
-
-	// ----------------------------------------------------------------------
-	// Setup class
-	// ----------------------------------------------------------------------
-
-	public static class Setup implements ServletContextListener {
-		@Override
-		public void contextInitialized(ServletContextEvent sce) {
-			ServletContext ctx = sce.getServletContext();
-			StartupStatus ss = StartupStatus.getBean(ctx);
-			try {
-				List<Permission> permissions = new ArrayList<Permission>();
-
-				permissions.addAll(SimplePermission.getAllInstances());
-				permissions.addAll(createDisplayByRolePermissions());
-				permissions.addAll(createEditByRolePermissions());
-				permissions.addAll(createPublishByRolePermissions());
-
-				PermissionRegistry.createRegistry(ctx, permissions);
-
-				ss.info(this, "Created the PermissionRegistry with "
-						+ permissions.size() + " permissions.");
-			} catch (Exception e) {
-				ss.fatal(this, "Failed to initialize the PermissionRegistry.",
-						e);
-			}
-		}
-
-		/**
-		 * There is no DisplayByRolePermission for self-editors. They get the
-		 * same rights as PUBLIC. Other permissions give them their self-editing
-		 * privileges.
-		 */
-		private Collection<Permission> createDisplayByRolePermissions() {
-			List<Permission> list = new ArrayList<Permission>();
-			list.add(new DisplayByRolePermission("Admin", RoleLevel.DB_ADMIN));
-			list.add(new DisplayByRolePermission("Curator", RoleLevel.CURATOR));
-			list.add(new DisplayByRolePermission("Editor", RoleLevel.EDITOR));
-			list.add(new DisplayByRolePermission("Public", RoleLevel.PUBLIC));
-			return list;
-		}
-
-		/**
-		 * There is no EditByRolePermission for PUBLIC or for self-editors. A
-		 * property may be given an edit-level of "PUBLIC", but that may also
-		 * simply be the default assigned to it when editing, and we don't want
-		 * to recognize that.
-		 *
-		 * Other permissions give self-editors their editing privileges.
-		 */
-		private Collection<Permission> createEditByRolePermissions() {
-			List<Permission> list = new ArrayList<Permission>();
-			list.add(new EditByRolePermission("Admin", RoleLevel.DB_ADMIN));
-			list.add(new EditByRolePermission("Curator", RoleLevel.CURATOR));
-			list.add(new EditByRolePermission("Editor", RoleLevel.EDITOR));
-			return list;
-		}
-
-		@Override
-		public void contextDestroyed(ServletContextEvent sce) {
-			sce.getServletContext().removeAttribute(ATTRIBUTE_NAME);
-		}
-
-		/**
-		 * There is no PublishByRolePermission for self-editors. They get the
-		 * same rights as PUBLIC. Other permissions give them their self-editing
-		 * privileges.
-		 */
-		private Collection<Permission> createPublishByRolePermissions() {
-			List<Permission> list = new ArrayList<Permission>();
-			list.add(new PublishByRolePermission("Admin", RoleLevel.DB_ADMIN));
-			list.add(new PublishByRolePermission("Curator", RoleLevel.CURATOR));
-			list.add(new PublishByRolePermission("Editor", RoleLevel.EDITOR));
-			list.add(new PublishByRolePermission("Public", RoleLevel.PUBLIC));
-			return list;
-		}
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionSetsSmokeTest.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionSetsSmokeTest.java
index 766f4c136d..b8c68f993a 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionSetsSmokeTest.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionSetsSmokeTest.java
@@ -69,7 +69,6 @@ public SmokeTester(ServletContextListener listener, ServletContext ctx,
 		public void test() {
 			checkForPermissionSetsWithoutLabels();
 			checkForReferencesToNonexistentPermissionSets();
-			checkForReferencesToNonexistentPermissions();
 			warnIfNoPermissionSetsForNewUsers();
 		}
 
@@ -95,21 +94,6 @@ private void checkForReferencesToNonexistentPermissionSets() {
 			}
 		}
 
-		private void checkForReferencesToNonexistentPermissions() {
-			PermissionRegistry registry = PermissionRegistry.getRegistry(ctx);
-			for (PermissionSet ps : uaDao.getAllPermissionSets()) {
-				for (String pUri : ps.getPermissionUris()) {
-					if (!registry.isPermission(pUri)) {
-						ss.warning(listener,
-								"The PermissionSet '" + ps.getLabel()
-										+ "' has the Permission '" + pUri
-										+ "', but the Permission "
-										+ "is not found in the registry.");
-					}
-				}
-			}
-		}
-
 		private void warnIfNoPermissionSetsForNewUsers() {
 			for (PermissionSet ps : uaDao.getAllPermissionSets()) {
 				if (ps.isForNewUsers()) {
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/PublishByRolePermission.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/PublishByRolePermission.java
deleted file mode 100644
index b1e63aa4bb..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/PublishByRolePermission.java
+++ /dev/null
@@ -1,125 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.permissions;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionBean;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.publish.PublishDataProperty;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.publish.PublishDataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.publish.PublishObjectProperty;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.publish.PublishObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-
-/**
- * Is the user authorized to publish properties that are marked as restricted to
- * a certain "Role Level"?
- */
-public class PublishByRolePermission extends Permission {
-	private static final Log log = LogFactory
-			.getLog(PublishByRolePermission.class);
-
-	public static final String NAMESPACE = "java:"
-			+ PublishByRolePermission.class.getName() + "#";
-
-	private final String roleName;
-	private final RoleLevel roleLevel;
-
-	public PublishByRolePermission(String roleName, RoleLevel roleLevel) {
-		super(NAMESPACE + roleName);
-
-		if (roleName == null) {
-			throw new NullPointerException("role may not be null.");
-		}
-		if (roleLevel == null) {
-			throw new NullPointerException("roleLevel may not be null.");
-		}
-
-		this.roleName = roleName;
-		this.roleLevel = roleLevel;
-	}
-
-	@Override
-	public boolean isAuthorized(RequestedAction whatToAuth) {
-		boolean result;
-
-		if (whatToAuth instanceof PublishDataProperty) {
-			result = isAuthorized((PublishDataProperty) whatToAuth);
-		} else if (whatToAuth instanceof PublishObjectProperty) {
-			result = isAuthorized((PublishObjectProperty) whatToAuth);
-		} else if (whatToAuth instanceof PublishDataPropertyStatement) {
-			result = isAuthorized((PublishDataPropertyStatement) whatToAuth);
-		} else if (whatToAuth instanceof PublishObjectPropertyStatement) {
-			result = isAuthorized((PublishObjectPropertyStatement) whatToAuth);
-		} else {
-			result = false;
-		}
-
-		if (result) {
-			log.debug(this + " authorizes " + whatToAuth);
-		} else {
-			log.debug(this + " does not authorize " + whatToAuth);
-		}
-
-		return result;
-	}
-
-	/**
-	 * The user may publish this data property if they are allowed to publish
-	 * its predicate.
-	 */
-	private boolean isAuthorized(PublishDataProperty action) {
-		String predicateUri = action.getDataProperty().getURI();
-		return canPublishPredicate(new Property(predicateUri));
-	}
-
-	/**
-	 * The user may publish this object property if they are allowed to publish
-	 * its predicate.
-	 */
-	private boolean isAuthorized(PublishObjectProperty action) {
-		return canPublishPredicate(action.getObjectProperty());
-	}
-
-	/**
-	 * The user may publish this data property if they are allowed to publish
-	 * its subject and its predicate.
-	 */
-	private boolean isAuthorized(PublishDataPropertyStatement action) {
-		String subjectUri = action.getSubjectUri();
-		String predicateUri = action.getPredicateUri();
-		return canPublishResource(subjectUri)
-				&& canPublishPredicate(new Property(predicateUri));
-	}
-
-	/**
-	 * The user may publish this data property if they are allowed to publish
-	 * its subject, its predicate, and its object.
-	 */
-	private boolean isAuthorized(PublishObjectPropertyStatement action) {
-		String subjectUri = action.getSubjectUri();
-		Property predicate = action.getPredicate();
-		String objectUri = action.getObjectUri();
-		return canPublishResource(subjectUri) && canPublishPredicate(predicate)
-				&& canPublishResource(objectUri);
-	}
-
-	private boolean canPublishResource(String resourceUri) {
-		return PropertyRestrictionBean.getBean().canPublishResource(
-				resourceUri, this.roleLevel);
-	}
-
-	private boolean canPublishPredicate(Property predicate) {
-		return PropertyRestrictionBean.getBean().canPublishPredicate(predicate,
-				this.roleLevel);
-	}
-
-	@Override
-	public String toString() {
-		return "PublishByRolePermission['" + roleName + "']";
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/SimplePermission.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/SimplePermission.java
index 82ee603fa7..3cfbc4a3e1 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/SimplePermission.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/SimplePermission.java
@@ -2,153 +2,80 @@
 
 package edu.cornell.mannlib.vitro.webapp.auth.permissions;
 
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleRequestedAction;
-
-/**
- * A class of simple permissions. Each instance holds a RequestedAction, and
- * will only authorize that RequestedAction (or one with the same URI).
- */
-public class SimplePermission extends Permission {
-	private static final Log log = LogFactory.getLog(SimplePermission.class);
-
-	private static final String NAMESPACE = "java:"
-			+ SimplePermission.class.getName() + "#";
-
-	private static final Map<String, SimplePermission> allInstances = new HashMap<String, SimplePermission>();
-
-	public static final SimplePermission ACCESS_SPECIAL_DATA_MODELS = new SimplePermission(
-		NAMESPACE + "AccessSpecialDataModels");
-	public static final SimplePermission DO_BACK_END_EDITING = new SimplePermission(
-		NAMESPACE + "DoBackEndEditing");
-	public static final SimplePermission DO_FRONT_END_EDITING = new SimplePermission(
-		NAMESPACE + "DoFrontEndEditing");
-	public static final SimplePermission EDIT_ONTOLOGY = new SimplePermission(
-		NAMESPACE + "EditOntology");
-	public static final SimplePermission EDIT_OWN_ACCOUNT = new SimplePermission(
-		NAMESPACE + "EditOwnAccount");
-	public static final SimplePermission EDIT_SITE_INFORMATION = new SimplePermission(
-		NAMESPACE + "EditSiteInformation");
-	public static final SimplePermission ENABLE_DEVELOPER_PANEL = new SimplePermission(
-		NAMESPACE + "EnableDeveloperPanel");
-	public static final SimplePermission LOGIN_DURING_MAINTENANCE = new SimplePermission(
-		NAMESPACE + "LoginDuringMaintenance");
-	public static final SimplePermission MANAGE_MENUS = new SimplePermission(
-		NAMESPACE + "ManageMenus");
-	public static final SimplePermission MANAGE_OWN_PROXIES = new SimplePermission(
-		NAMESPACE + "ManageOwnProxies");
-	public static final SimplePermission MANAGE_PROXIES = new SimplePermission(
-		NAMESPACE + "ManageProxies");
-	public static final SimplePermission MANAGE_SEARCH_INDEX = new SimplePermission(
-		NAMESPACE + "ManageSearchIndex");
-	public static final SimplePermission MANAGE_USER_ACCOUNTS = new SimplePermission(
-		NAMESPACE + "ManageUserAccounts");
-	public static final SimplePermission QUERY_FULL_MODEL = new SimplePermission(
-		NAMESPACE + "QueryFullModel");
-	public static final SimplePermission QUERY_USER_ACCOUNTS_MODEL = new SimplePermission(
-		NAMESPACE + "QueryUserAccountsModel");
-	public static final SimplePermission REFRESH_VISUALIZATION_CACHE = new SimplePermission(
-		NAMESPACE + "RefreshVisualizationCache");
-	public static final SimplePermission SEE_CONFIGURATION = new SimplePermission(
-		NAMESPACE + "SeeConfiguration");
-	public static final SimplePermission SEE_INDVIDUAL_EDITING_PANEL = new SimplePermission(
-		NAMESPACE + "SeeIndividualEditingPanel");
-	public static final SimplePermission SEE_REVISION_INFO = new SimplePermission(
-		NAMESPACE + "SeeRevisionInfo");
-	public static final SimplePermission SEE_SITE_ADMIN_PAGE = new SimplePermission(
-		NAMESPACE + "SeeSiteAdminPage");
-	public static final SimplePermission SEE_STARTUP_STATUS = new SimplePermission(
-		NAMESPACE + "SeeStartupStatus");
-	public static final SimplePermission SEE_VERBOSE_PROPERTY_INFORMATION = new SimplePermission(
-		NAMESPACE + "SeeVerbosePropertyInformation");
-	public static final SimplePermission USE_ADVANCED_DATA_TOOLS_PAGES = new SimplePermission(
-		NAMESPACE + "UseAdvancedDataToolsPages");
-	public static final SimplePermission USE_INDIVIDUAL_CONTROL_PANEL = new SimplePermission(
-		NAMESPACE + "UseIndividualControlPanel");
-	public static final SimplePermission USE_SPARQL_QUERY_PAGE = new SimplePermission(
-		NAMESPACE + "UseSparqlQueryPage");
-	public static final SimplePermission USE_SPARQL_QUERY_API = new SimplePermission(
-		NAMESPACE + "UseSparqlQueryApi");
-	public static final SimplePermission USE_SPARQL_UPDATE_API = new SimplePermission(
-		NAMESPACE + "UseSparqlUpdateApi");
-
-	// ----------------------------------------------------------------------
-	// These instances are "catch all" permissions to cover poorly defined
-	// groups of actions until better definitions were found. Don't add usages
-	// of these, and remove existing usages where possible.
-	// ----------------------------------------------------------------------
-
-	public static final SimplePermission USE_BASIC_AJAX_CONTROLLERS = new SimplePermission(
-		NAMESPACE + "UseBasicAjaxControllers");
-	public static final SimplePermission USE_MISCELLANEOUS_ADMIN_PAGES = new SimplePermission(
-		NAMESPACE + "UseMiscellaneousAdminPages");
-	public static final SimplePermission USE_MISCELLANEOUS_CURATOR_PAGES = new SimplePermission(
-		NAMESPACE + "UseMiscellaneousCuratorPages");
-	public static final SimplePermission USE_MISCELLANEOUS_PAGES = new SimplePermission(
-		NAMESPACE + "UseMiscellaneousPages");
-
-	// ----------------------------------------------------------------------
-	// These instances are permissions that can be specified for a given page created/managed through page management,
-	// e.g. this page is viewable only by admins, this page is viewable to anyone who is logged in, etc.
-	// ----------------------------------------------------------------------
-	public static final SimplePermission PAGE_VIEWABLE_ADMIN = new SimplePermission(
-			NAMESPACE + "PageViewableAdmin");
-		public static final SimplePermission PAGE_VIEWABLE_CURATOR = new SimplePermission(
-			NAMESPACE + "PageViewableCurator");
-		public static final SimplePermission PAGE_VIEWABLE_LOGGEDIN = new SimplePermission(
-			NAMESPACE + "PageViewableLoggedIn");
-		public static final SimplePermission PAGE_VIEWABLE_EDITOR = new SimplePermission(
-			NAMESPACE + "PageViewableEditor");
-		public static final SimplePermission PAGE_VIEWABLE_PUBLIC = new SimplePermission(
-			NAMESPACE + "PageViewablePublic");
-
-
-	public static List<SimplePermission> getAllInstances() {
-		return new ArrayList<SimplePermission>(allInstances.values());
-	}
-
-	//private final String localName;
-	public final RequestedAction ACTION;
-
-	public SimplePermission(String uri) {
-		super(uri);
-
-		if (uri == null) {
-			throw new NullPointerException("uri may not be null.");
-		}
-
-		this.ACTION = new SimpleRequestedAction(uri);
-
-		if (allInstances.containsKey(this.uri)) {
-			throw new IllegalStateException("A SimplePermission named '"
-					+ this.uri + "' already exists.");
-		}
-		allInstances.put(uri, this);
-	}
-
-	@Override
-	public boolean isAuthorized(RequestedAction whatToAuth) {
-		if (whatToAuth != null) {
-			if (ACTION.getURI().equals(whatToAuth.getURI())) {
-				log.debug(this + " authorizes " + whatToAuth);
-				return true;
-			}
-		}
-		log.debug(this + " does not authorize " + whatToAuth);
-		return false;
-	}
-
-	@Override
-	public String toString() {
-		return "SimplePermission['" + uri+ "']";
-	}
-
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.NamedAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest;
+
+public class SimplePermission {
+
+  //Access rules stored here for compatibility reasons
+
+    public static final SimplePermission ACCESS_SPECIAL_DATA_MODELS = new SimplePermission("AccessSpecialDataModels");
+    public static final SimplePermission DO_BACK_END_EDITING = new SimplePermission("DoBackEndEditing");
+    public static final SimplePermission DO_FRONT_END_EDITING = new SimplePermission("DoFrontEndEditing");
+    public static final SimplePermission EDIT_ONTOLOGY = new SimplePermission("EditOntology");
+    public static final SimplePermission EDIT_OWN_ACCOUNT = new SimplePermission("EditOwnAccount");
+    public static final SimplePermission EDIT_SITE_INFORMATION = new SimplePermission("EditSiteInformation");
+    public static final SimplePermission ENABLE_DEVELOPER_PANEL = new SimplePermission("EnableDeveloperPanel");
+    public static final SimplePermission LOGIN_DURING_MAINTENANCE = new SimplePermission("LoginDuringMaintenance");
+    public static final SimplePermission MANAGE_MENUS = new SimplePermission("ManageMenus");
+    public static final SimplePermission MANAGE_OWN_PROXIES = new SimplePermission("ManageOwnProxies");
+    public static final SimplePermission MANAGE_PROXIES = new SimplePermission("ManageProxies");
+    public static final SimplePermission MANAGE_SEARCH_INDEX = new SimplePermission("ManageSearchIndex");
+    public static final SimplePermission MANAGE_USER_ACCOUNTS = new SimplePermission("ManageUserAccounts");
+    public static final SimplePermission QUERY_FULL_MODEL = new SimplePermission("QueryFullModel");
+    public static final SimplePermission QUERY_USER_ACCOUNTS_MODEL = new SimplePermission("QueryUserAccountsModel");
+    public static final SimplePermission REFRESH_VISUALIZATION_CACHE = new SimplePermission("RefreshVisualizationCache");
+    public static final SimplePermission SEE_CONFIGURATION = new SimplePermission("SeeConfiguration");
+    public static final SimplePermission SEE_INDVIDUAL_EDITING_PANEL = new SimplePermission("SeeIndividualEditingPanel");
+    public static final SimplePermission SEE_REVISION_INFO = new SimplePermission("SeeRevisionInfo");
+    public static final SimplePermission SEE_SITE_ADMIN_PAGE = new SimplePermission("SeeSiteAdminPage");
+    public static final SimplePermission SEE_STARTUP_STATUS = new SimplePermission("SeeStartupStatus");
+    public static final SimplePermission SEE_VERBOSE_PROPERTY_INFORMATION = new SimplePermission("SeeVerbosePropertyInformation");
+    public static final SimplePermission USE_ADVANCED_DATA_TOOLS_PAGES = new SimplePermission("UseAdvancedDataToolsPages");
+    public static final SimplePermission USE_INDIVIDUAL_CONTROL_PANEL = new SimplePermission("UseIndividualControlPanel");
+    public static final SimplePermission USE_SPARQL_QUERY_PAGE = new SimplePermission("UseSparqlQueryPage");
+    public static final SimplePermission USE_SPARQL_QUERY_API = new SimplePermission("UseSparqlQueryApi");
+    public static final SimplePermission USE_SPARQL_UPDATE_API = new SimplePermission("UseSparqlUpdateApi");
+    
+    // ----------------------------------------------------------------------
+    // These instances are "catch all" permissions to cover poorly defined
+    // groups of actions until better definitions were found. Don't add usages
+    // of these, and remove existing usages where possible.
+    // ----------------------------------------------------------------------
+    
+    public static final SimplePermission USE_BASIC_AJAX_CONTROLLERS = new SimplePermission("UseBasicAjaxControllers");
+    public static final SimplePermission USE_MISCELLANEOUS_ADMIN_PAGES = new SimplePermission("UseMiscellaneousAdminPages");
+    public static final SimplePermission USE_MISCELLANEOUS_CURATOR_PAGES = new SimplePermission("UseMiscellaneousCuratorPages");
+    public static final SimplePermission USE_MISCELLANEOUS_PAGES = new SimplePermission("UseMiscellaneousPages");
+
+    // ----------------------------------------------------------------------
+    // These instances are permissions that can be specified for a given page
+    // created/managed through page management,
+    // e.g. this page is viewable only by admins, this page is viewable to anyone
+    // who is logged in, etc.
+    // ----------------------------------------------------------------------
+    
+    public static final SimplePermission PAGE_VIEWABLE_ADMIN = new SimplePermission("PageViewableAdmin");
+    public static final SimplePermission PAGE_VIEWABLE_CURATOR = new SimplePermission("PageViewableCurator");
+    public static final SimplePermission PAGE_VIEWABLE_LOGGEDIN = new SimplePermission("PageViewableLoggedIn");
+    public static final SimplePermission PAGE_VIEWABLE_EDITOR = new SimplePermission("PageViewableEditor");
+    public static final SimplePermission PAGE_VIEWABLE_PUBLIC = new SimplePermission("PageViewablePublic");
+    
+    
+    public SimpleAuthorizationRequest ACTION;
+    private String uri;
+    
+    public String getUri() {
+        return uri;
+    }
+
+    public static final String NS = "java:edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission#";
+
+    private SimplePermission(String uri) {
+        this.uri = SimplePermission.NS + uri;
+        NamedAccessObject ao = new NamedAccessObject(this.uri, AccessObjectType.NAMED_OBJECT);
+        this.ACTION = new SimpleAuthorizationRequest(ao, AccessOperation.EXECUTE);
+    }
 }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/BaseSelfEditingPolicy.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/BaseSelfEditingPolicy.java
deleted file mode 100644
index 1541cfc8eb..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/BaseSelfEditingPolicy.java
+++ /dev/null
@@ -1,61 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy;
-
-import javax.servlet.ServletContext;
-
-import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionBean;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-
-/**
- * A base class with utility methods for policies involving self-editing.
- */
-public abstract class BaseSelfEditingPolicy {
-	protected final ServletContext ctx;
-	protected final RoleLevel roleLevel;
-
-	public BaseSelfEditingPolicy(ServletContext ctx, RoleLevel roleLevel) {
-		this.ctx = ctx;
-		this.roleLevel = roleLevel;
-	}
-
-	protected boolean canModifyResource(String uri) {
-		return PropertyRestrictionBean.getBean().canModifyResource(uri,
-				roleLevel);
-	}
-
-	protected boolean canModifyPredicate(Property predicate) {
-		return PropertyRestrictionBean.getBean().canModifyPredicate(predicate,
-				roleLevel);
-	}
-
-	protected PolicyDecision cantModifyResource(String uri) {
-		return inconclusiveDecision("No access to admin resources; cannot modify "
-				+ uri);
-	}
-
-	protected PolicyDecision cantModifyPredicate(Property predicate) {
-		return inconclusiveDecision("No access to admin predicates; cannot modify "
-				+ predicate.getURI());
-	}
-
-	protected PolicyDecision userNotAuthorizedToStatement() {
-		return inconclusiveDecision("User has no access to this statement.");
-	}
-
-	/** An INCONCLUSIVE decision with a message like "PolicyClass: message". */
-	protected PolicyDecision inconclusiveDecision(String message) {
-		return new BasicPolicyDecision(Authorization.INCONCLUSIVE, getClass()
-				.getSimpleName() + ": " + message);
-	}
-
-	/** An AUTHORIZED decision with a message like "PolicyClass: message". */
-	protected PolicyDecision authorizedDecision(String message) {
-		return new BasicPolicyDecision(Authorization.AUTHORIZED, getClass()
-				.getSimpleName() + ": " + message);
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/BasicPolicyDecision.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/BasicPolicyDecision.java
index b831be9ddb..3d0ed69974 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/BasicPolicyDecision.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/BasicPolicyDecision.java
@@ -2,7 +2,7 @@
 
 package edu.cornell.mannlib.vitro.webapp.auth.policy;
 
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
 
 /**
@@ -14,21 +14,19 @@ public class BasicPolicyDecision implements PolicyDecision{
     String debuggingInfo;
     String message;
     String StackTrace;
-    Authorization authorized;
+    DecisionResult decisionResult;
 
-
-
-    public BasicPolicyDecision( Authorization authorized, String message) {
+    public BasicPolicyDecision( DecisionResult decisionResult, String message) {
         super();
         this.message = message;
-        this.authorized = authorized;
+        this.decisionResult = decisionResult;
     }
 
-    public Authorization getAuthorized() {
-        return authorized;
+    public DecisionResult getDecisionResult() {
+        return decisionResult;
     }
-    public BasicPolicyDecision setAuthorized(Authorization auth) {
-        this.authorized = auth;
+    public BasicPolicyDecision setDecisionResult(DecisionResult decisionResult) {
+        this.decisionResult = decisionResult;
         return this;
     }
     public String getDebuggingInfo() {
@@ -53,6 +51,6 @@ public void setStackTrace(String stackTrace) {
     }
 
     public String toString(){
-        return authorized + ": " + message;
+        return decisionResult + ": " + message;
     }
 }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/CompositPolicyDecision.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/CompositPolicyDecision.java
deleted file mode 100644
index 22d568f2ff..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/CompositPolicyDecision.java
+++ /dev/null
@@ -1,23 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy;
-
-import java.util.List;
-
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-
-/**
- * Policy decision that is made from some analysis of a set of decisions.
- * @author bdc34
- *
- */
-public class CompositPolicyDecision extends BasicPolicyDecision implements PolicyDecision {
-    List<PolicyDecision> subDecisions;
-
-    public CompositPolicyDecision(Authorization auth, String message, List<PolicyDecision> subDecisions){
-        super( auth, message);
-        this.subDecisions = subDecisions;
-    }
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayRestrictedDataToSelfPolicy.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayRestrictedDataToSelfPolicy.java
deleted file mode 100644
index 2c536813c7..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayRestrictedDataToSelfPolicy.java
+++ /dev/null
@@ -1,179 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy;
-
-import java.util.Collection;
-
-import javax.servlet.ServletContext;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasAssociatedIndividual;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionBean;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataProperty;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectProperty;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
-import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-
-/**
- * Permit display of various data if it relates to the user's associated
- * individual.
- *
- * This policy is only to handle the case where a user would not be able to see
- * data except for their self-editing status. If the data would be visible
- * without that status, we assume that some other policy will grant access.
- */
-public class DisplayRestrictedDataToSelfPolicy implements PolicyIface {
-	private static final Log log = LogFactory
-			.getLog(DisplayRestrictedDataToSelfPolicy.class);
-
-	private final ServletContext ctx;
-
-	public DisplayRestrictedDataToSelfPolicy(ServletContext ctx) {
-		this.ctx = ctx;
-	}
-
-	/**
-	 * If the requested action is to display a property or a property statement,
-	 * we might authorize it based on their role level.
-	 */
-	@Override
-	public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
-			RequestedAction whatToAuth) {
-		if (whoToAuth == null) {
-			return defaultDecision("whomToAuth was null");
-		}
-		if (whatToAuth == null) {
-			return defaultDecision("whatToAuth was null");
-		}
-
-		Collection<String> associated = HasAssociatedIndividual
-				.getIndividualUris(whoToAuth);
-		if (associated.isEmpty()) {
-			return defaultDecision("not self-editing for anyone");
-		}
-
-		if (whatToAuth instanceof DisplayDataProperty) {
-			return defaultDecision("DataProperties have no associated 'self'");
-		} else if (whatToAuth instanceof DisplayObjectProperty) {
-			return defaultDecision("ObjectProperties have no associated 'self'");
-		}
-
-		PolicyDecision result;
-		if (whatToAuth instanceof DisplayDataPropertyStatement) {
-			result = isAuthorized((DisplayDataPropertyStatement) whatToAuth,
-					associated);
-		} else if (whatToAuth instanceof DisplayObjectPropertyStatement) {
-			result = isAuthorized((DisplayObjectPropertyStatement) whatToAuth,
-					associated);
-		} else {
-			result = defaultDecision("Unrecognized action");
-		}
-
-		log.debug("decision for '" + whatToAuth + "' is " + result);
-		return result;
-	}
-
-	/**
-	 * The user may see this data property statement if the subject and the
-	 * predicate are both viewable by self-editors, and the subject is one of
-	 * the associated individuals (the "selves").
-	 */
-	private PolicyDecision isAuthorized(DisplayDataPropertyStatement action,
-			Collection<String> individuals) {
-		DataPropertyStatement stmt = action.getDataPropertyStatement();
-		String subjectUri = stmt.getIndividualURI();
-		Property predicate = new Property(stmt.getDatapropURI());
-		if (canDisplayResource(subjectUri) && canDisplayPredicate(predicate)
-				&& isAboutAssociatedIndividual(individuals, subjectUri)) {
-			return authorized("user may view DataPropertyStatement "
-					+ subjectUri + " ==> " + predicate.getURI());
-		} else {
-			return defaultDecision("user may not view DataPropertyStatement "
-					+ subjectUri + " ==> " + predicate.getURI());
-		}
-	}
-
-	/**
-	 * The user may see this data property statement if the subject, the
-	 * predicate, and the object are all viewable by self-editors, and either
-	 * the subject or the object is one of the associated individuals (the
-	 * "selves").
-	 */
-	private PolicyDecision isAuthorized(DisplayObjectPropertyStatement action,
-			Collection<String> individuals) {
-		String subjectUri = action.getSubjectUri();
-		Property predicate = action.getProperty();
-		String objectUri = action.getObjectUri();
-		if (canDisplayResource(subjectUri)
-				&& canDisplayPredicate(predicate)
-				&& canDisplayResource(objectUri)
-				&& isAboutAssociatedIndividual(individuals, subjectUri,
-						objectUri)) {
-			return authorized("user may view ObjectPropertyStatement "
-					+ subjectUri + " ==> " + predicate.getURI() + " ==> "
-					+ objectUri);
-		} else {
-			return defaultDecision("user may not view ObjectPropertyStatement "
-					+ subjectUri + " ==> " + predicate.getURI() + " ==> "
-					+ objectUri);
-		}
-	}
-
-	/** If the user is explicitly authorized, return this. */
-	private PolicyDecision authorized(String message) {
-		String className = this.getClass().getSimpleName();
-		return new BasicPolicyDecision(Authorization.AUTHORIZED, className
-				+ ": " + message);
-	}
-
-	/** If the user isn't explicitly authorized, return this. */
-	private PolicyDecision defaultDecision(String message) {
-		return new BasicPolicyDecision(Authorization.INCONCLUSIVE, message);
-	}
-
-	private boolean canDisplayResource(String uri) {
-		return PropertyRestrictionBean.getBean().canDisplayResource(uri,
-				RoleLevel.SELF);
-	}
-
-	private boolean canDisplayPredicate(Property predicate) {
-		return PropertyRestrictionBean.getBean().canDisplayPredicate(predicate,
-				RoleLevel.SELF);
-	}
-
-	private boolean isAboutAssociatedIndividual(Collection<String> selves,
-			String subjectUri) {
-		for (String self : selves) {
-			if (self.equals(subjectUri)) {
-				return true;
-			}
-		}
-		return false;
-	}
-
-	private boolean isAboutAssociatedIndividual(Collection<String> selves,
-			String subjectUri, String objectUri) {
-		for (String self : selves) {
-			if (self.equals(subjectUri) || self.equals(objectUri)) {
-				return true;
-			}
-		}
-		return false;
-	}
-
-	@Override
-	public String toString() {
-		return this.getClass().getSimpleName() + " - " + hashCode();
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DynamicPolicy.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DynamicPolicy.java
new file mode 100644
index 0000000000..5f885a24be
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DynamicPolicy.java
@@ -0,0 +1,102 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Policy;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
+import edu.cornell.mannlib.vitro.webapp.auth.rules.AccessRule;
+import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class DynamicPolicy implements Policy {
+    private static final Log log = LogFactory.getLog(DynamicPolicy.class);
+    private String uri;
+
+    @Override
+    public String getUri() {
+        return uri;
+    }
+
+    @Override
+    public String getShortUri() {
+        return shortenUri(uri);
+    }
+
+    private long priority;
+
+    public long getPriority() {
+        return priority;
+    }
+
+    private Set<AccessRule> rules = Collections.synchronizedSet(new HashSet<>());
+
+    public Set<AccessRule> getRules() {
+        return rules;
+    }
+
+    public void addRules(Collection<AccessRule> collection) {
+        rules.addAll(collection);
+    }
+
+    public DynamicPolicy(String uri, long priority) {
+        this.uri = uri;
+        this.priority = priority;
+    }
+
+    @Override
+    public PolicyDecision decide(AuthorizationRequest ar) {
+        AccessObject whatToAuth = ar.getAccessObject();
+        if (whatToAuth == null) {
+            return defaultDecision("whatToAuth was null");
+        }
+        for (AccessRule rule : getFilteredRules(ar)) {
+            String policyUri = shortenUri(uri);
+            String ruleUri = shortenUri(rule.getRuleUri());
+            if (rule.match(ar)) {
+                if (rule.isAllowMatched()) {
+                    debug("Policy '" + policyUri + "' rule '" + ruleUri + "' approved request " + ar);
+                    String message = "Policy '" + policyUri + "' rule '" + ruleUri + "' approved " + ar;
+                    return new BasicPolicyDecision(DecisionResult.AUTHORIZED, message);
+                } else {
+                    debug("Policy '" + policyUri + "' rule " + ruleUri + " rejected request " + ar);
+                    String message = "Policy '" + policyUri + "' rule '" + ruleUri + "' rejected request" + ar;
+                    return new BasicPolicyDecision(DecisionResult.UNAUTHORIZED, message);
+                }
+            } else {
+                debug("Policy '" + policyUri + "' rule '" + ruleUri + "' didn't match request " + ar);
+            }
+        }
+
+        return defaultDecision("no permission will approve " + whatToAuth);
+    }
+
+    public Set<AccessRule> getFilteredRules(AuthorizationRequest ar) {
+        return rules;
+    }
+
+    private PolicyDecision defaultDecision(String message) {
+        return new BasicPolicyDecision(DecisionResult.INCONCLUSIVE, message);
+    }
+
+    private static String shortenUri(String uri) {
+        if (uri.startsWith(VitroVocabulary.AUTH_INDIVIDUAL_PREFIX)) {
+            return "access-individual:" + uri.substring(VitroVocabulary.AUTH_INDIVIDUAL_PREFIX.length());
+        }
+        return uri;
+    }
+
+    private static void debug(String message) {
+        if (log.isDebugEnabled()) {
+            log.debug(message);
+        }
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/EntityPolicyController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/EntityPolicyController.java
new file mode 100644
index 0000000000..98145a6f38
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/EntityPolicyController.java
@@ -0,0 +1,187 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.AUTH_VOCABULARY_PREFIX;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueKey;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSet;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSetRegistry;
+import edu.cornell.mannlib.vitro.webapp.beans.Property;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+public class EntityPolicyController {
+
+    private static final Log log = LogFactory.getLog(EntityPolicyController.class);
+    private static Map<String, String> policyKeyToDataValueMap = new HashMap<String, String>();
+
+    /**
+     * @param entityUri - entity uniform resource identifier
+     * @param aot - access object type
+     * @param ao - access operation
+     * @param selectedRoles - list of roles to assign
+     * @param roles - list of all available roles
+     */
+    public static void updateEntityDataSet(String entityUri, AccessObjectType aot, AccessOperation ao,
+            List<String> selectedRoles, List<String> roles) {
+        if (StringUtils.isBlank(entityUri)) {
+            return;
+        }
+        Set<String> selectedSet = new HashSet<>(selectedRoles);
+        for (String role : roles) {
+            if (selectedSet.contains(role)) {
+                grantAccess(entityUri, aot, ao, role);
+            } else {
+                revokeAccess(entityUri, aot, ao, role);
+            }
+        }
+    }
+
+    private static AttributeValueSetRegistry getRegistry() {
+        return AttributeValueSetRegistry.getInstance();
+    }
+
+    public static void revokeAccess(String entityUri, AccessObjectType aot, AccessOperation ao, String role) {
+        AttributeValueKey key = new AttributeValueKey(ao, aot, role, aot.toString());
+        AttributeValueSet set = getRegistry().get(key);
+        if (set != null) {
+            if (set.contains(entityUri)) {
+                set.remove(entityUri);
+                String toRemove = getValueStatementString(entityUri, set.getValueSetUri());
+                getLoader().updateAccessControlModel(toRemove, false);
+            }
+        } else {
+            reduceInactiveValueSet(entityUri, aot, ao, role);
+        }
+    }
+
+    private static PolicyLoader getLoader() {
+        return PolicyLoader.getInstance();
+    }
+
+    private static void reduceInactiveValueSet(String entityUri, AccessObjectType aot, AccessOperation ao,
+            String role) {
+        StringBuilder removals = new StringBuilder();
+        getDataValueStatements(entityUri, aot, ao, Collections.singleton(role), removals);
+        getLoader().updateAccessControlModel(removals.toString(), false);
+    }
+
+    public static void grantAccess(String entityUri, AccessObjectType aot, AccessOperation ao, String role) {
+        AttributeValueKey key = new AttributeValueKey(ao, aot, role, aot.toString());
+        AttributeValueSet set = getRegistry().get(key);
+        if (set != null) {
+            if (!set.contains(entityUri)) {
+                set.add(entityUri);
+                String toAdd = getValueStatementString(entityUri, set.getValueSetUri());
+                getLoader().updateAccessControlModel(toAdd, true);
+            }
+        } else {
+            extendInactiveValueSet(entityUri, aot, ao, role);
+            loadPolicy(aot, ao, role);
+        }
+    }
+
+    private static void loadPolicy(AccessObjectType aot, AccessOperation ao, String role) {
+        String dataSetUri =
+                getLoader().getDataSetUriByKey(new String[] { }, new String[] { ao.toString(), aot.toString(), role });
+        if (dataSetUri != null) {
+            DynamicPolicy policy = getLoader().loadPolicyFromTemplateDataSet(dataSetUri);
+            if (policy != null) {
+                PolicyStore.getInstance().add(policy);
+            }
+        }
+    }
+
+    private static void extendInactiveValueSet(String entityUri, AccessObjectType aot, AccessOperation ao,
+            String role) {
+        StringBuilder additions = new StringBuilder();
+        getDataValueStatements(entityUri, aot, ao, Collections.singleton(role), additions);
+        getLoader().updateAccessControlModel(additions.toString(), true);
+    }
+
+    public static boolean isGranted(String entityUri, AccessObjectType aot, AccessOperation ao, String role) {
+        if (StringUtils.isBlank(entityUri)) {
+            return false;
+        }
+        AttributeValueSetRegistry registry = getRegistry();
+        AttributeValueKey key = new AttributeValueKey(ao, aot, role, aot.toString());
+        AttributeValueSet set = registry.get(key);
+        if (set == null) {
+            return false;
+        }
+        return set.contains(entityUri);
+    }
+
+    public static List<String> getGrantedRoles(String entityUri, AccessOperation ao, AccessObjectType aot,
+            List<String> allRoles) {
+        if (StringUtils.isBlank(entityUri)) {
+            return Collections.emptyList();
+        }
+        List<String> grantedRoles = new LinkedList<>();
+        for (String role : allRoles) {
+            if (isUriInTestDataset(entityUri, ao, aot, role)) {
+                grantedRoles.add(role);
+            }
+        }
+        return grantedRoles;
+    }
+
+    public static void getDataValueStatements(String entityUri, AccessObjectType aot, AccessOperation ao,
+            Set<String> selectedRoles, StringBuilder sb) {
+        if (StringUtils.isBlank(entityUri)) {
+            return;
+        }
+        for (String role : selectedRoles) {
+            String valueSetUri = getValueSetUri(aot, ao, role);
+            if (valueSetUri == null) {
+                log.debug(String.format("Policy value set wasn't found by key:\n%s\n%s\n%s", ao, aot, role));
+                continue;
+            }
+            sb.append(getValueStatementString(entityUri, valueSetUri));
+        }
+    }
+
+    private static String getValueStatementString(String entityUri, String valueSetUri) {
+        return "<" + valueSetUri + "> <" + AUTH_VOCABULARY_PREFIX + "value> <" + entityUri + "> .\n";
+    }
+
+    public static void deletedEntityEvent(Property oldObj) {
+        log.debug("Don't delete access rule if property has been deleted " + oldObj);
+    }
+
+    public static void updatedEntityEvent(Object oldObj, Object newObj) {
+        if (oldObj instanceof Property || newObj instanceof Property) {
+            log.debug("update entity event old " + oldObj + " new object " + newObj);
+        }
+    }
+
+    public static void insertedEntityEvent(Property newObj) {
+        log.debug("Nothing to do " + newObj);
+    }
+
+    private static boolean isUriInTestDataset(String entityUri, AccessOperation ao, AccessObjectType aot, String role) {
+        Set<String> values = getLoader().getDataSetValues(ao, aot, role);
+        return values.contains(entityUri);
+    }
+
+    private static String getValueSetUri(AccessObjectType aot, AccessOperation ao, String role) {
+        String key = aot.toString() + "." + ao.toString() + "." + role;
+        if (policyKeyToDataValueMap.containsKey(key)) {
+            return policyKeyToDataValueMap.get(key);
+        }
+        String uri = getLoader().getEntityValueSetUri(ao, aot, role);
+        policyKeyToDataValueMap.put(key, uri);
+        return uri;
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PermissionsPolicy.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PermissionsPolicy.java
deleted file mode 100644
index 0a66bdeffc..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PermissionsPolicy.java
+++ /dev/null
@@ -1,56 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasPermission;
-import edu.cornell.mannlib.vitro.webapp.auth.permissions.Permission;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-
-/**
- * The user is authorized to perform the RequestedAction if one of his
- * Permissions will authorize it.
- */
-public class PermissionsPolicy implements PolicyIface {
-	private static final Log log = LogFactory.getLog(PermissionsPolicy.class);
-
-	@Override
-	public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
-			RequestedAction whatToAuth) {
-		if (whoToAuth == null) {
-			return defaultDecision("whomToAuth was null");
-		}
-		if (whatToAuth == null) {
-			return defaultDecision("whatToAuth was null");
-		}
-
-		for (Permission p : HasPermission.getPermissions(whoToAuth)) {
-			if (p.isAuthorized(whatToAuth)) {
-				log.debug("Permission " + p + " approves request " + whatToAuth);
-				return new BasicPolicyDecision(Authorization.AUTHORIZED,
-						"PermissionsPolicy: approved by " + p);
-			} else {
-			    log.trace("Permission " + p + " denies request " + whatToAuth);
-			}
-		}
-		log.debug("No permission will approve " + whatToAuth);
-		return defaultDecision("no permission will approve " + whatToAuth);
-	}
-
-	/** If the user isn't explicitly authorized, return this. */
-	private PolicyDecision defaultDecision(String message) {
-		return new BasicPolicyDecision(Authorization.INCONCLUSIVE, message);
-	}
-
-	@Override
-	public String toString() {
-		return "PermissionsPolicy - " + hashCode();
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/Policies.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/Policies.java
new file mode 100644
index 0000000000..f57588beca
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/Policies.java
@@ -0,0 +1,23 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import java.util.List;
+
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Policy;
+
+public interface Policies {
+
+    List<Policy> getList();
+
+    boolean contains(Policy policy);
+
+    void add(Policy policy);
+
+    long size();
+
+    void clear();
+
+    void remove(String policyUri);
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyDecisionLogger.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyDecisionLogger.java
index 1880c76939..435d193eab 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyDecisionLogger.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyDecisionLogger.java
@@ -2,175 +2,164 @@
 
 package edu.cornell.mannlib.vitro.webapp.auth.policy;
 
-import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization.INCONCLUSIVE;
+import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.INCONCLUSIVE;
 
 import java.util.regex.Pattern;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Policy;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
 import edu.cornell.mannlib.vitro.webapp.utils.developer.DeveloperSettings;
 import edu.cornell.mannlib.vitro.webapp.utils.developer.Key;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 
 /**
- * If enabled in the developer settings (and log levels), log each
- * PolicyDecision (subject to restrictions).
+ * If enabled in the developer settings (and log levels), log each PolicyDecision (subject to restrictions).
  *
- * Some restrictions apply to the logger as a whole. Others apply to the
- * particular policy or the particular decision.
+ * Some restrictions apply to the logger as a whole. Others apply to the particular policy or the particular decision.
  */
 public class PolicyDecisionLogger {
-	private static final Log log = LogFactory
-			.getLog(PolicyDecisionLogger.class);
-
-	private static final Pattern NEVER_MATCHES = Pattern.compile("^__NEVER__$");
-
-	private static final BasicPolicyDecision NULL_DECISION = new BasicPolicyDecision(
-			INCONCLUSIVE, "The decision was null.");
-
-	private final DeveloperSettings settings;
-	private final RequestedAction whatToAuth;
-	private final IdentifierBundle whoToAuth;
-
-	private final boolean enabled;
-
-	private final Pattern policyRestriction;
-	private final boolean skipInconclusive;
-	private final boolean includeIdentifiers;
-
-	public PolicyDecisionLogger(IdentifierBundle whoToAuth,
-			RequestedAction whatToAuth) {
-		this.settings = DeveloperSettings.getInstance();
-		this.whoToAuth = whoToAuth;
-		this.whatToAuth = whatToAuth;
-
-		this.enabled = figureEnabled();
-
-		this.policyRestriction = figurePolicyRestriction();
-		this.skipInconclusive = figureSkipInconclusive();
-		this.includeIdentifiers = figureIncludeIdentifiers();
-	}
-
-	private boolean figureEnabled() {
-		return log.isInfoEnabled()
-				&& settings.getBoolean(Key.AUTHORIZATION_LOG_DECISIONS_ENABLE)
-				&& passesUserRestriction() && passesActionRestriction();
-	}
-
-	/**
-	 * The identifier bundle passes if there is no restriction, or if the
-	 * restriction pattern is found within concatenated string of the identifier
-	 * bundle.
-	 *
-	 * If the restriction is invalid, the action fails.
-	 */
-	private boolean passesUserRestriction() {
-		Pattern userRestriction = compilePatternFromSetting(Key.AUTHORIZATION_LOG_DECISIONS_USER_RESTRICTION);
-		return userRestriction == null
-				|| userRestriction.matcher(String.valueOf(whoToAuth)).find();
-	}
-
-	/**
-	 * The requested action passes if there is no restriction, or if the
-	 * restriction pattern is found within the class name of the action.
-	 *
-	 * If the restriction is invalid, the action fails.
-	 */
-	private boolean passesActionRestriction() {
-		Pattern actionRestriction = compilePatternFromSetting(Key.AUTHORIZATION_LOG_DECISIONS_ACTION_RESTRICTION);
-		return actionRestriction == null
-				|| actionRestriction.matcher(String.valueOf(whatToAuth)).find();
-	}
-
-	/**
-	 * Only compile the policy restriction pattern once.
-	 */
-	private Pattern figurePolicyRestriction() {
-		return compilePatternFromSetting(Key.AUTHORIZATION_LOG_DECISIONS_POLICY_RESTRICTION);
-	}
-
-	/**
-	 * Do we log inconclusive decisions?
-	 */
-	private boolean figureSkipInconclusive() {
-		return settings
-				.getBoolean(Key.AUTHORIZATION_LOG_DECISIONS_SKIP_INCONCLUSIVE);
-	}
-
-	/**
-	 * Do we include Identifiers in the log record?
-	 */
-	private boolean figureIncludeIdentifiers() {
-		return settings
-				.getBoolean(Key.AUTHORIZATION_LOG_DECISIONS_ADD_IDENTIFERS);
-	}
-
-	/**
-	 * If no pattern was provided, return null. If an invalid pattern was
-	 * provided, return a pattern that never matches.
-	 */
-	private Pattern compilePatternFromSetting(Key key) {
-		String setting = settings.getString(key);
-		if (setting.isEmpty()) {
-			return null;
-		} else {
-			try {
-				return Pattern.compile(setting);
-			} catch (Exception e) {
-				return NEVER_MATCHES;
-			}
-		}
-	}
-
-	/**
-	 * If the logger and the policy and the decision all pass the restrictions,
-	 * write to the log. A null decision is treated as inconclusive.
-	 */
-	public void log(PolicyIface policy, PolicyDecision pd) {
-		if (passesRestrictions(String.valueOf(policy), pd)) {
-			if (this.includeIdentifiers) {
-				log.info(String.format(
-						"Decision on %s by %s was %s; user is %s",
-						this.whatToAuth, policy, pd, this.whoToAuth));
-			} else {
-				log.info(String.format("Decision on %s by %s was %s",
-						this.whatToAuth, policy, pd));
-			}
-		}
-	}
-
-	private boolean passesRestrictions(String policyString, PolicyDecision pd) {
-		if (pd == null) {
-			pd = NULL_DECISION;
-		}
-		return enabled && passesPolicyRestriction(policyString)
-				&& passesConclusiveRestriction(pd);
-	}
-
-	private boolean passesPolicyRestriction(String policyString) {
-		return this.policyRestriction == null
-				|| this.policyRestriction.matcher(policyString).find();
-	}
-
-	private boolean passesConclusiveRestriction(PolicyDecision pd) {
-		return !(skipInconclusive && isInconclusive(pd));
-	}
-
-	private boolean isInconclusive(PolicyDecision pd) {
-		return pd == null || pd.getAuthorized() == INCONCLUSIVE;
-	}
-
-	public void logNoDecision(PolicyDecision pd) {
-		if (enabled) {
-			if (this.includeIdentifiers) {
-				log.info(pd.getMessage() + "; user is " + this.whoToAuth);
-			} else {
-				log.info(pd.getMessage());
-			}
-		}
-	}
+    private static final Log log = LogFactory.getLog(PolicyDecisionLogger.class);
+
+    private static final Pattern NEVER_MATCHES = Pattern.compile("^__NEVER__$");
+
+    private static final BasicPolicyDecision NULL_DECISION =
+            new BasicPolicyDecision(INCONCLUSIVE, "The decision was null.");
+
+    private final DeveloperSettings settings;
+    private final AccessObject object;
+    private final AccessOperation operation;
+    private final IdentifierBundle whoToAuth;
+
+    private final boolean enabled;
+
+    private final Pattern policyRestriction;
+    private final boolean skipInconclusive;
+    private final boolean includeIdentifiers;
+
+    public PolicyDecisionLogger(AuthorizationRequest ar) {
+        this.settings = DeveloperSettings.getInstance();
+        this.whoToAuth = ar.getIds();
+        this.object = ar.getAccessObject();
+        this.operation = ar.getAccessOperation();
+
+        this.enabled = figureEnabled();
+
+        this.policyRestriction = figurePolicyRestriction();
+        this.skipInconclusive = figureSkipInconclusive();
+        this.includeIdentifiers = figureIncludeIdentifiers();
+    }
+
+    private boolean figureEnabled() {
+        return log.isInfoEnabled() && settings.getBoolean(Key.AUTHORIZATION_LOG_DECISIONS_ENABLE)
+                && passesUserRestriction() && passesActionRestriction();
+    }
+
+    /**
+     * The identifier bundle passes if there is no restriction, or if the restriction pattern is found within
+     * concatenated string of the identifier bundle.
+     *
+     * If the restriction is invalid, the action fails.
+     */
+    private boolean passesUserRestriction() {
+        Pattern userRestriction = compilePatternFromSetting(Key.AUTHORIZATION_LOG_DECISIONS_USER_RESTRICTION);
+        return userRestriction == null || userRestriction.matcher(String.valueOf(whoToAuth)).find();
+    }
+
+    /**
+     * The requested action passes if there is no restriction, or if the restriction pattern is found within the class
+     * name of the action.
+     *
+     * If the restriction is invalid, the action fails.
+     */
+    private boolean passesActionRestriction() {
+        Pattern actionRestriction = compilePatternFromSetting(Key.AUTHORIZATION_LOG_DECISIONS_ACTION_RESTRICTION);
+        return actionRestriction == null || actionRestriction.matcher(String.valueOf(object)).find();
+    }
+
+    /**
+     * Only compile the policy restriction pattern once.
+     */
+    private Pattern figurePolicyRestriction() {
+        return compilePatternFromSetting(Key.AUTHORIZATION_LOG_DECISIONS_POLICY_RESTRICTION);
+    }
+
+    /**
+     * Do we log inconclusive decisions?
+     */
+    private boolean figureSkipInconclusive() {
+        return settings.getBoolean(Key.AUTHORIZATION_LOG_DECISIONS_SKIP_INCONCLUSIVE);
+    }
+
+    /**
+     * Do we include Identifiers in the log record?
+     */
+    private boolean figureIncludeIdentifiers() {
+        return settings.getBoolean(Key.AUTHORIZATION_LOG_DECISIONS_ADD_IDENTIFERS);
+    }
+
+    /**
+     * If no pattern was provided, return null. If an invalid pattern was provided, return a pattern that never matches.
+     */
+    private Pattern compilePatternFromSetting(Key key) {
+        String setting = settings.getString(key);
+        if (setting.isEmpty()) {
+            return null;
+        } else {
+            try {
+                return Pattern.compile(setting);
+            } catch (Exception e) {
+                return NEVER_MATCHES;
+            }
+        }
+    }
+
+    /**
+     * If the logger and the policy and the decision all pass the restrictions, write to the log. A null decision is
+     * treated as inconclusive.
+     */
+    public void log(Policy policy, PolicyDecision pd) {
+        if (passesRestrictions(String.valueOf(policy), pd)) {
+            if (this.includeIdentifiers) {
+                log.info(String.format("Decision on %s %s by %s was %s; user is %s", this.operation, this.object,
+                        policy.getShortUri(), pd, this.whoToAuth));
+            } else {
+                log.info(String.format("Decision on %s %s by %s was %s", this.operation, this.object,
+                        policy.getShortUri(), pd));
+            }
+        }
+    }
+
+    private boolean passesRestrictions(String policyString, PolicyDecision pd) {
+        if (pd == null) {
+            pd = NULL_DECISION;
+        }
+        return enabled && passesPolicyRestriction(policyString) && passesConclusiveRestriction(pd);
+    }
+
+    private boolean passesPolicyRestriction(String policyString) {
+        return this.policyRestriction == null || this.policyRestriction.matcher(policyString).find();
+    }
+
+    private boolean passesConclusiveRestriction(PolicyDecision pd) {
+        return !(skipInconclusive && isInconclusive(pd));
+    }
+
+    private boolean isInconclusive(PolicyDecision pd) {
+        return pd == null || pd.getDecisionResult() == INCONCLUSIVE;
+    }
+
+    public void logNoDecision(PolicyDecision pd) {
+        if (enabled) {
+            if (this.includeIdentifiers) {
+                log.info(pd.getMessage() + "; user is " + this.whoToAuth);
+            } else {
+                log.info(pd.getMessage());
+            }
+        }
+    }
 }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyDecisionPoint.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyDecisionPoint.java
new file mode 100644
index 0000000000..1e317a7a4a
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyDecisionPoint.java
@@ -0,0 +1,48 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Policy;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class PolicyDecisionPoint {
+
+    private static final Log log = LogFactory.getLog(PolicyDecisionPoint.class.getName());
+
+    public static PolicyDecision decide(AuthorizationRequest ar) {
+        PolicyDecision pd = null;
+        PolicyDecisionLogger logger = new PolicyDecisionLogger(ar);
+        PolicyStore store = PolicyStore.getInstance();
+        for (Policy policy : store.getList()) {
+            try {
+                pd = policy.decide(ar);
+                logger.log(policy, pd);
+                if (pd != null) {
+                    if (pd.getDecisionResult() == DecisionResult.AUTHORIZED) {
+                        return pd;
+                    }
+                    if (pd.getDecisionResult() == DecisionResult.UNAUTHORIZED) {
+                        return pd;
+                    }
+
+                    if (pd.getDecisionResult() == DecisionResult.INCONCLUSIVE) {
+                        continue;
+                    }
+                } else {
+                    log.debug("policy " + policy.toString() + " returned a null PolicyDecision");
+                }
+            } catch (Throwable th) {
+                log.error("ignoring exception in policy " + policy.getUri(), th);
+            }
+        }
+
+        pd = new BasicPolicyDecision(DecisionResult.INCONCLUSIVE,
+                "No policy returned a conclusive decision on " + ar.getAccessObject());
+        logger.logNoDecision(pd);
+        return pd;
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java
index 67f61897cb..b515a4863e 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java
@@ -2,7 +2,11 @@
 
 package edu.cornell.mannlib.vitro.webapp.auth.policy;
 
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_URI;
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_URI;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 
@@ -18,19 +22,24 @@
 import org.apache.jena.rdf.model.Statement;
 import org.apache.jena.rdf.model.StmtIterator;
 
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.RequestIdentifiers;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasAssociatedIndividual;
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.IdentifierPermissionSetProvider;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddDataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropDataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropObjectPropertyStatement;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest.WRAP_TYPE;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest;
 import edu.cornell.mannlib.vitro.webapp.beans.Property;
 import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.controller.authenticate.Authenticator;
+import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
 
 /**
  * A collection of static methods to help determine whether requested actions
@@ -39,44 +48,91 @@
 public class PolicyHelper {
 	private static final Log log = LogFactory.getLog(PolicyHelper.class);
 
-	/**
-	 * Are these actions authorized for the current user by the current
-	 * policies?
-	 */
-	public static boolean isAuthorizedForActions(HttpServletRequest req,
-			AuthorizationRequest... actions) {
-		return isAuthorizedForActions(req, AuthorizationRequest.andAll(actions));
-	}
-
-	/**
-	 * Are these actions authorized for the current user by the current
-	 * policies?
-	 */
-	public static boolean isAuthorizedForActions(HttpServletRequest req,
-			Iterable<? extends AuthorizationRequest> actions) {
-		return isAuthorizedForActions(req, AuthorizationRequest.andAll(actions));
-	}
-
-	/**
-	 * Are these actions authorized for the current user by the current
-	 * policies?
-	 */
-	private static boolean isAuthorizedForActions(HttpServletRequest req,
-			AuthorizationRequest ar) {
-		PolicyIface policy = ServletPolicyList.getPolicies(req);
+	public static boolean isAuthorizedForActions(HttpServletRequest req, AccessObject ar, AccessOperation operation) {
 		IdentifierBundle ids = RequestIdentifiers.getIdBundleForRequest(req);
-		return ar.isAuthorized(ids, policy);
+		return actionRequestIsAuthorized(ids, ar, operation);
 	}
-
-	/**
-	 * Are these actions authorized for these identifiers by these policies?
-	 */
-	public static boolean isAuthorizedForActions(IdentifierBundle ids,
-			PolicyIface policy, AuthorizationRequest ar) {
-		return ar.isAuthorized(ids, policy);
+	
+    public static boolean isAuthorizedForActions(IdentifierBundle ids, AccessObject ar, AccessOperation op) {
+        return actionRequestIsAuthorized(ids, ar, op);
+    }
+    
+    public static boolean isAuthorizedForActions(IdentifierBundle ids, AuthorizationRequest ar) {
+        if (ar == null) {
+            log.error("AuthorizationRequest is null");
+            return false;
+        }
+        if (ar.getPredefinedDecision() != DecisionResult.INCONCLUSIVE){
+            return ar.getPredefinedDecision() == DecisionResult.AUTHORIZED;
+        }
+        if (ar.getWrapType() != null) {
+            return processUnwrappedAuthorizationRequest(ar, ids);
+        }
+        return actionRequestIsAuthorized(ids, ar.getAccessObject(), ar.getAccessOperation());
+    }
+
+    public static boolean isAuthorizedForActions(HttpServletRequest req, AuthorizationRequest ar) {
+        if (ar == null) {
+            log.error("AuthorizationRequest is null");
+            return false;
+        }
+        if (ar.getPredefinedDecision() != DecisionResult.INCONCLUSIVE){
+            return ar.getPredefinedDecision() == DecisionResult.AUTHORIZED;
+        }
+        IdentifierBundle ids = RequestIdentifiers.getIdBundleForRequest(req);
+        if (ar.getWrapType() != null) {
+            return processUnwrappedAuthorizationRequest(ar, ids);
+        }
+        return actionRequestIsAuthorized(ids, ar.getAccessObject(), ar.getAccessOperation());
+    }
+
+    private static boolean processUnwrappedAuthorizationRequest(AuthorizationRequest ar, IdentifierBundle ids) {
+        List<AuthorizationRequest> items = ar.getItems();
+        boolean result = false;
+        if (WRAP_TYPE.OR == ar.getWrapType()) {
+            for (AuthorizationRequest item : items ) {
+                result = result || isAuthorizedForActions(ids, item);
+            }    
+        } else {
+            result = true;
+            for (AuthorizationRequest item : items ) {
+                result = result && isAuthorizedForActions(ids, item);
+            } 
+        }
+        return result;
+    }
+
+	private static boolean actionRequestIsAuthorized(IdentifierBundle ids, AccessObject ao, AccessOperation operation) {
+	    if (operation == null) {
+	        log.error("Opeartion is null, accessObject " + ao );
+	        return false;
+	    }
+        if (ao == null) {
+            log.error("Access object is null, operation " + operation);
+            return false;
+        }
+        AuthorizationRequest ar = new SimpleAuthorizationRequest(ao, operation);
+        Collection<String> uris = IdentifierPermissionSetProvider.getPermissionSetUris(ids);
+        if (uris.isEmpty()) {
+            uris.add(VitroVocabulary.VITRO_AUTH + "PUBLIC");
+        }
+        ar.setRoleUris(new ArrayList<String>(uris));
+        
+        ar.setIds(ids);
+        ar.setEditorUris(new ArrayList<String>(HasAssociatedIndividual.getIndividualUris(ids)));
+	    PolicyDecision decision = PolicyDecisionPoint.decide(ar);
+	    debug(ar, decision);
+        return decision.getDecisionResult() == DecisionResult.AUTHORIZED;
 	}
 
-	/**
+	private static void debug(AuthorizationRequest ar, PolicyDecision decision) {
+	    if (log.isDebugEnabled()) {
+	        AccessObject ao = ar.getAccessObject();
+            log.debug(String.format("Request for %s on object %s resulted in decision %s", ar.getAccessOperation(), ao, decision.getDecisionResult()));
+	    }
+    }
+
+    /**
 	 * Is the email/password authorized for these actions? This should be used
 	 * when a controller or something needs allow actions if the user passes in
 	 * their email and password.
@@ -84,8 +140,7 @@ public static boolean isAuthorizedForActions(IdentifierBundle ids,
 	 * It may be better to check this as part of a servlet Filter and add an
 	 * identifier bundle.
 	 */
-	public static boolean isAuthorizedForActions(HttpServletRequest req,
-			String email, String password, AuthorizationRequest ar) {
+	public static boolean isAuthorizedForActions(HttpServletRequest req, String email, String password, AuthorizationRequest ar) {
 		if (password == null || email == null || password.isEmpty()
 				|| email.isEmpty()) {
 			return false;
@@ -111,10 +166,8 @@ public static boolean isAuthorizedForActions(HttpServletRequest req,
 					+ "account URI: %s", email, uri));
 
 			// figure out if that account can do the actions
-			IdentifierBundle ids = ActiveIdentifierBundleFactories
-					.getUserIdentifierBundle(req, user);
-			PolicyIface policy = ServletPolicyList.getPolicies(req);
-			return ar.isAuthorized(ids, policy);
+			IdentifierBundle ids = ActiveIdentifierBundleFactories.getUserIdentifierBundle(user);
+			return isAuthorizedForActions(ids, ar);
 		} catch (Exception ex) {
 			log.error("Error while attempting to authorize actions " + ar, ex);
 			return false;
@@ -127,8 +180,7 @@ public static boolean isAuthorizedForActions(HttpServletRequest req,
 	 *
 	 * The statement is expected to be fully-populated, with no null fields.
 	 */
-	public static boolean isAuthorizedToAdd(HttpServletRequest req,
-			Statement stmt, OntModel modelToBeModified) {
+	public static boolean isAuthorizedToAdd(HttpServletRequest req,	Statement stmt, OntModel modelToBeModified) {
 		if ((req == null) || (stmt == null) || (modelToBeModified == null)) {
 			return false;
 		}
@@ -140,20 +192,20 @@ public static boolean isAuthorizedToAdd(HttpServletRequest req,
 			return false;
 		}
 
-		RequestedAction action;
+		AccessObject action;
 		if (objectNode.isResource()) {
 			Property property = new Property(predicate.getURI());
 			property.setDomainVClassURI(SOME_URI);
 			property.setRangeVClassURI(SOME_URI);
-			action = new AddObjectPropertyStatement(modelToBeModified,
+			action = new ObjectPropertyStatementAccessObject(modelToBeModified,
 					subject.getURI(), property, objectNode.asResource()
 							.getURI());
 		} else {
-			action = new AddDataPropertyStatement(modelToBeModified,
+			action = new DataPropertyStatementAccessObject(modelToBeModified,
 					subject.getURI(), predicate.getURI(), objectNode
 							.asLiteral().getString());
 		}
-		return isAuthorizedForActions(req, action);
+		return isAuthorizedForActions(req, action, AccessOperation.ADD);
 	}
 
 	/**
@@ -162,8 +214,7 @@ public static boolean isAuthorizedToAdd(HttpServletRequest req,
 	 *
 	 * The statement is expected to be fully-populated, with no null fields.
 	 */
-	public static boolean isAuthorizedToDrop(HttpServletRequest req,
-			Statement stmt, OntModel modelToBeModified) {
+	public static boolean isAuthorizedToDrop(HttpServletRequest req, Statement stmt, OntModel modelToBeModified) {
 		if ((req == null) || (stmt == null) || (modelToBeModified == null)) {
 			return false;
 		}
@@ -175,20 +226,20 @@ public static boolean isAuthorizedToDrop(HttpServletRequest req,
 			return false;
 		}
 
-		RequestedAction action;
+		AccessObject action;
 		if (objectNode.isResource()) {
 			Property property = new Property(predicate.getURI());
 			property.setDomainVClassURI(SOME_URI);
 			property.setRangeVClassURI(SOME_URI);
-			action = new DropObjectPropertyStatement(modelToBeModified,
+			action = new ObjectPropertyStatementAccessObject(modelToBeModified,
 					subject.getURI(), property, objectNode.asResource()
 							.getURI());
 		} else {
-			action = new DropDataPropertyStatement(modelToBeModified,
+			action = new DataPropertyStatementAccessObject(modelToBeModified,
 					subject.getURI(), predicate.getURI(), objectNode
 							.asLiteral().getString());
 		}
-		return isAuthorizedForActions(req, action);
+		return isAuthorizedForActions(req, action, AccessOperation.DROP);
 	}
 
 	/**
@@ -204,8 +255,7 @@ public static boolean isAuthorizedToDrop(HttpServletRequest req,
 	 * log will contain a full record of all failures. This is no more expensive
 	 * than if all statements succeeded.
 	 */
-	public static boolean isAuthorizedAsExpected(HttpServletRequest req,
-			Model additions, Model retractions, OntModel modelBeingModified) {
+	public static boolean isAuthorizedAsExpected(HttpServletRequest req, Model additions, Model retractions, OntModel modelBeingModified) {
 		if (req == null) {
 			log.warn("Can't evaluate authorization if req is null");
 			return false;
@@ -334,4 +384,5 @@ private PolicyHelper() {
 		// nothing to do.
 	}
 
+
 }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyList.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyList.java
deleted file mode 100644
index 8baf48889a..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyList.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy;
-
-import java.util.ArrayList;
-import java.util.Collection;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-
-/**
- * This is a List of Policy Objects that implements PolciyIface.  The intent
- * is to make it easy to query a list of policies for a PolicyDecision.
- *
- *  The Policy objects in the PolicyList are queried for authorization in order
- *  and return the first AUTHORIZED or UNAUTHROIZED decision.  INCONCLUSIVE
- *  or null decisions will be ignored and the next policy on the list will
- *  be queried.
- */
-public class PolicyList extends ArrayList<PolicyIface> implements PolicyIface{
-    private static final Log log = LogFactory.getLog(PolicyList.class.getName());
-
-    public PolicyList(){
-        super();
-    }
-
-	public PolicyList(Collection<PolicyIface> policies) {
-		super(policies);
-	}
-
-	@Override
-	public PolicyDecision isAuthorized(IdentifierBundle whoToAuth, RequestedAction whatToAuth) {
-	    PolicyDecision pd = null;
-	    PolicyDecisionLogger logger = new PolicyDecisionLogger(whoToAuth, whatToAuth);
-	    for(PolicyIface policy : this){
-            try{
-                pd = policy.isAuthorized(whoToAuth, whatToAuth);
-                logger.log(policy, pd);
-                if( pd != null ){
-                    if(  pd.getAuthorized() == Authorization.AUTHORIZED )
-                        return pd;
-                    if( pd.getAuthorized() == Authorization.UNAUTHORIZED )
-                        return pd;
-                    if( pd.getAuthorized() == Authorization.INCONCLUSIVE )
-                        continue;
-                } else{
-                    log.debug("policy " + policy.toString() + " returned a null PolicyDecision");
-                }
-            }catch(Throwable th){
-                log.error("ignoring exception in policy " + policy.toString(), th );
-            }
-        }
-
-		pd = new BasicPolicyDecision(Authorization.INCONCLUSIVE,
-				"No policy returned a conclusive decision on " + whatToAuth);
-		logger.logNoDecision(pd);
-		return pd;
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java
new file mode 100644
index 0000000000..bc70622e17
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java
@@ -0,0 +1,1020 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.io.StringWriter;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.Attribute;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueKey;
+import edu.cornell.mannlib.vitro.webapp.auth.checks.CheckFactory;
+import edu.cornell.mannlib.vitro.webapp.auth.rules.AccessRule;
+import edu.cornell.mannlib.vitro.webapp.auth.rules.AccessRuleFactory;
+import edu.cornell.mannlib.vitro.webapp.dao.jena.event.BulkUpdateEvent;
+import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames;
+import edu.cornell.mannlib.vitro.webapp.rdfservice.ChangeSet;
+import edu.cornell.mannlib.vitro.webapp.rdfservice.RDFService;
+import edu.cornell.mannlib.vitro.webapp.rdfservice.RDFService.ModelSerializationFormat;
+import edu.cornell.mannlib.vitro.webapp.rdfservice.RDFServiceException;
+import edu.cornell.mannlib.vitro.webapp.rdfservice.ResultSetConsumer;
+import edu.cornell.mannlib.vitro.webapp.rdfservice.adapters.VitroModelFactory;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.jena.query.ParameterizedSparqlString;
+import org.apache.jena.query.QuerySolution;
+import org.apache.jena.query.ResultSet;
+import org.apache.jena.query.ResultSetFormatter;
+import org.apache.jena.rdf.model.Model;
+import org.apache.jena.rdf.model.RDFNode;
+import org.apache.tika.utils.StringUtils;
+
+public class PolicyLoader {
+
+    private static final String PRIORITY = "priority";
+    public static final String POLICY = "policy";
+    private static final Log log = LogFactory.getLog(PolicyLoader.class);
+    private static final String POLICY_QUERY = ""
+            + "prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#>\n"
+            + "prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/>\n"
+            + "SELECT DISTINCT ?policy \n"
+            + "WHERE {\n"
+            + "  GRAPH <http://vitro.mannlib.cornell.edu/default/access-control> {\n"
+            + "    { ?policy a access:Policy . }\n"
+            + "      UNION \n"
+            + "    { ?policy a access:PolicyTemplate . }\n"
+            + "  }\n"
+            + "}";
+
+    private static final String PRIORITY_QUERY = ""
+            + "prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#>\n"
+            + "prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/>\n"
+            + "SELECT DISTINCT ?" + PRIORITY + " \n"
+            + "WHERE {\n"
+            + "  GRAPH <http://vitro.mannlib.cornell.edu/default/access-control> {\n"
+            + "    OPTIONAL {?" + POLICY + " access:priority ?set_priority" + " . }\n"
+            + "    BIND(COALESCE(?set_priority, 0 ) as ?" + PRIORITY + " ) .\n"
+            + "  }\n"
+            + "} ORDER BY ?" + PRIORITY;
+
+
+    private static final String DATASET_PRIORITY_QUERY = ""
+            + "prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#>\n"
+            + "prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/>\n"
+            + "SELECT DISTINCT ?" + PRIORITY + " \n"
+            + "WHERE {\n"
+            + "  GRAPH <http://vitro.mannlib.cornell.edu/default/access-control> {\n"
+            + "    ?policyTemplate access:priority ?set_priority .\n"
+            + "    ?policyTemplate access:hasDataSet ?dataSet .\n"
+            + "    OPTIONAL {?policy access:priority ?policyPriority" + " . }\n"
+            + "    OPTIONAL {?dataSet access:priority ?dataSetPriority" + " . }\n"
+            + "    BIND(COALESCE(?dataSetPriority, ?policyPriority, 0 ) as ?" + PRIORITY + " ) .\n"
+            + "  }\n"
+            + "} ORDER BY ?" + PRIORITY;
+
+    private static final String DATASET_QUERY = ""
+            + "prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#>\n"
+            + "prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/>\n"
+            + "SELECT DISTINCT ?dataSet \n" + "WHERE {\n"
+            + "  GRAPH <http://vitro.mannlib.cornell.edu/default/access-control> {\n"
+            + "       ?policy a access:PolicyTemplate .\n"
+            + "       ?policy access:hasDataSet ?dataSet .\n"
+            + "  }\n"
+            + "} ORDER BY ?dataSet";
+
+    private static final String NO_DATASET_RULES_QUERY = ""
+            + "prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#>\n"
+            + "prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/>\n"
+            + "SELECT DISTINCT ?policyUri ?rule ?check ?testId ?typeId ?value ?lit_value ?decision_id \n"
+            + "WHERE {\n"
+            + "  GRAPH <http://vitro.mannlib.cornell.edu/default/access-control> {\n"
+            + "?policy a access:Policy .\n"
+            + "?policy access:hasRule ?rule . \n"
+            + "?rule access:requiresCheck ?check .\n"
+            + "OPTIONAL {\n"
+            + "  ?check access:useOperator ?checkTest .\n"
+            + "  OPTIONAL {\n"
+            + "    ?checkTest access:id ?testId . \n"
+            + "  }\n"
+            + "}"
+            + "OPTIONAL {\n"
+            + "  ?check access:hasTypeToCheck ?checkType . \n"
+            + "  OPTIONAL {\n"
+            + "    ?checkType access:id ?typeId . \n"
+            + "  }\n"
+            + "}\n"
+            + "OPTIONAL {\n"
+            + "   ?rule access:hasDecision ?decision . \n"
+            + "   ?decision access:id ?decision_id . \n"
+            + "}\n"
+            + "?check access:value ?value . \n"
+            + "OPTIONAL {?value access:id ?lit_value . }\n"
+            + "  }\n"
+            + "BIND(?policy as ?policyUri)\n"
+            + "} ORDER BY ?rule ?check";
+
+    private static final String DATASET_RULES_QUERY = ""
+            + "prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#>\n"
+            + "prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/>\n"
+            + "SELECT DISTINCT ?policyUri ?rule ?check ?testId ?typeId ?value ?lit_value ?decision_id "
+            + " ?dataSetUri ?attributeValue ?setElementsType \n"
+            + "WHERE {\n"
+            + "  GRAPH <http://vitro.mannlib.cornell.edu/default/access-control> {\n"
+            + "    ?policy a access:PolicyTemplate .\n"
+            + "    ?policy access:hasDataSet ?dataSet .\n"
+            + "    ?policy access:hasRule ?rule .\n"
+            + "    ?rule access:requiresCheck ?check .\n"
+            + "    ?check a access:Check .\n"
+            + "    OPTIONAL {\n"
+            + "      ?check access:useOperator ?checkTest .\n"
+            + "      OPTIONAL {\n"
+            + "        ?checkTest access:id ?testId .\n"
+            + "      }\n"
+            + "    }\n"
+            + "    OPTIONAL {\n"
+            + "      ?check access:hasTypeToCheck ?checkType .\n"
+            + "      OPTIONAL {\n"
+            + "        ?checkType access:id ?typeId .\n"
+            + "      }\n"
+            + "    }\n"
+            + "    OPTIONAL {\n"
+            + "      ?rule access:hasDecision ?decision .\n"
+            + "      ?decision access:id ?decision_id .\n"
+            + "    }\n"
+            + "    OPTIONAL {\n"
+            + "      ?check access:values ?attributeValue .\n"
+            + "      ?attributeValue access:value ?value .\n"
+            + "      ?dataSet access:hasRelatedValueSet ?attributeValue .\n"
+            + "      OPTIONAL {\n"
+            + "        ?attributeValue access:containsElementsOfType ?setElementsTypeUri .\n"
+            + "        ?setElementsTypeUri access:id ?setElementsType ."
+            + "      }\n"
+            + "      OPTIONAL {?value access:id ?lit_value . }\n"
+            + "    }\n"
+            + "    OPTIONAL {\n"
+            + "      ?check access:value ?value .\n"
+            + "      OPTIONAL {?value access:id ?lit_value . }\n"
+            + "    }\n"
+            + "    BIND(?dataSet as ?dataSetUri)\n"
+            + "    BIND(?policy as ?policyUri)\n"
+            + "  }\n"
+            + "} ORDER BY ?rule ?check";
+
+    private static final String policyKeyTemplatePrefix = ""
+            + "prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#>\n"
+            + "prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/>\n"
+            + "SELECT DISTINCT ?"
+            + POLICY + " ?dataSet ?testData ?value ?valueId ?valueSet ( COUNT(?key) AS ?keySize ) \n"
+            + "WHERE {\n"
+            + "  GRAPH <http://vitro.mannlib.cornell.edu/default/access-control> {\n"
+            + "  ?" + POLICY + " access:hasDataSet ?dataSet .\n"
+            + "  ?dataSet access:hasDataSetKey ?dataSetKeyUri .\n"
+            + "  ?dataSet access:hasRelatedValueSet ?valueSet .\n"
+            + "  ?valueSet access:containsElementsOfType ?setElementsType .\n"
+            + "  ?setElementsType access:id ?setElementsId .\n"
+            + "  OPTIONAL { ?valueSet access:value ?value .\n"
+            + "    OPTIONAL { ?value access:id ?valueId . }\n"
+            + "  }\n"
+            + "  ?dataSetKeyUri access:hasKeyComponent ?key .\n";
+
+    private static final String policyKeyTemplateSuffix =
+            "}} GROUP BY ?" + POLICY + " ?dataSet ?value ?valueId ?testData ?valueSet";
+
+    private static final String policyStatementByKeyTemplatePrefix = ""
+            + "prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#>\n"
+            + "prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/>\n"
+            + "CONSTRUCT { \n"
+            + "  ?valueSet access:value <%s> .\n"
+            + "}\n"
+            + "WHERE {\n"
+            + "  GRAPH <http://vitro.mannlib.cornell.edu/default/access-control> {\n"
+            + "  ?dataSet access:hasDataSetKey ?dataSetKeyUri .\n"
+            + "  ?" + POLICY + " access:hasDataSet ?dataSet . \n"
+            + "  ?dataSet access:hasRelatedValueSet ?valueSet . \n"
+            + "  ?valueSet access:containsElementsOfType ?setElementsTypeUri . \n"
+            + "  ?setElementsTypeUri access:id ?setElementsType . \n";
+
+    private static final String policyStatementByKeyTemplateSuffix = "}}";
+
+    public static final String DATA_SET_TEMPLATES_QUERY = ""
+            + "prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/>\n"
+            + "prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/>\n"
+            + "SELECT ?dataSetTemplate ?policyTemplate ( COUNT(?key) AS ?keySize )\n"
+            + "WHERE {\n"
+            + "  GRAPH <http://vitro.mannlib.cornell.edu/default/access-control> {\n"
+            + "    ?policyTemplate access:hasDataSetTemplate ?dataSetTemplate .\n"
+            + "    ?dataSetTemplate access:hasDataSetTemplateKey ?dataSetTemplateKey .\n"
+            + "    ?dataSetTemplateKey access:hasTemplateKeyComponent access-individual:SubjectRole .\n"
+            + "    ?dataSetTemplateKey access:hasTemplateKeyComponent ?key .\n"
+            + "  }\n"
+            + "}\n"
+            + "GROUP BY ?dataSetTemplate ?policyTemplate";
+
+    public static final String DATA_SET_KEY_TEMPLATE_QUERY = ""
+            + "prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/>\n"
+            + "SELECT ?keyComponent \n"
+            + "WHERE {\n"
+            + "  GRAPH <http://vitro.mannlib.cornell.edu/default/access-control> {\n"
+            + "    ?dataSetTemplate access:hasDataSetKeyTemplate ?dataSetKeyTemplate .\n"
+            + "    ?dataSetKeyTemplate access:hasKeyComponent ?keyComponent .\n"
+            + "  }\n"
+            + "}\n";
+
+    public static final String ROLE_VALUE_PATTERNS_QUERY = ""
+            + "prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/>\n"
+            + "SELECT ?rolePattern \n"
+            + "WHERE {\n"
+            + "  GRAPH <http://vitro.mannlib.cornell.edu/default/access-control> {\n"
+            + "    ?rolePattern a access:SubjectRoleUri .\n"
+            + "    ?rolePattern access:id ?roleUri .\n"
+            + "  }\n"
+            + "}\n";
+
+    public static final String DATA_SET_KEY_QUERY = ""
+            + "prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/>\n"
+            + "SELECT ?keyComponent ?id ?type \n"
+            + "WHERE {\n"
+            + "  GRAPH <http://vitro.mannlib.cornell.edu/default/access-control> {\n"
+            + "    ?dataSet access:hasDataSetKey ?dataSetKey ."
+            + "    ?dataSetKey access:hasKeyComponent ?keyComponent .\n"
+            + "    OPTIONAL {\n"
+            + "      ?keyComponent access:id ?id .\n"
+            + "    }\n"
+            + "    OPTIONAL {\n"
+            + "      ?keyComponent a access:ObjectType .\n"
+            + "      BIND('ACCESS_OBJECT_TYPE' as ?type)\n"
+            + "    }\n"
+            + "    OPTIONAL {\n"
+            + "      ?keyComponent a access:Operation .\n"
+            + "      BIND('OPERATION' as ?type)\n"
+            + "    }\n"
+            + "    OPTIONAL {\n"
+            + "      ?keyComponent a access:SubjectRoleUri .\n"
+            + "      BIND('SUBJECT_ROLE_URI' as ?type)\n"
+            + "    }\n"
+            + "  }\n"
+            + "}\n";
+
+    public static final String DATA_SET_KEY_TEMPLATES_TEMPLATE_QUERY = ""
+            + "prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/>\n"
+            + "SELECT ?keyComponentTemplate \n"
+            + "WHERE {\n"
+            + "  GRAPH <http://vitro.mannlib.cornell.edu/default/access-control> {\n"
+            + "    ?dataSetTemplate access:hasDataSetKeyTemplate ?dataSetKeyTemplate .\n"
+            + "    ?dataSetKeyTemplate access:hasKeyComponentTemplate ?keyComponentTemplate .\n"
+            + "  }\n"
+            + "}\n";
+
+    public static final String DATA_SET_VALUE_TEMPLATE_QUERY = ""
+            + "prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/>\n"
+            + "SELECT ?valueSet \n"
+            + "WHERE {\n"
+            + "  GRAPH <http://vitro.mannlib.cornell.edu/default/access-control> {\n"
+            + "    ?dataSetTemplate access:hasRelatedValueSet ?valueSet .\n"
+            + "  }\n"
+            + "}\n";
+
+    public static final String DATA_SET_VALUE_SET_TEMPLATES_TEMPLATE_QUERY = ""
+            + "prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/>\n"
+            + "SELECT ?valueSetTemplate \n"
+            + "WHERE {\n"
+            + "  GRAPH <http://vitro.mannlib.cornell.edu/default/access-control> {\n"
+            + "    ?dataSetTemplate access:dataSetValueTemplate ?valueSetTemplate .\n"
+            + "  }\n"
+            + "}\n";
+
+    public static final String CONSTRUCT_VALUE_SET_QUERY = ""
+            + "prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/>\n"
+            + "CONSTRUCT {\n"
+            + "  ?relatedCheck access:values ?valueSet .\n"
+            + "  ?valueSet a access:ValueSet .\n"
+            + "  ?valueSet access:containsElementsOfType ?setElementsType .\n"
+            + "  ?valueSet access:value ?newRoleUri .\n"
+            + "  ?valueSet access:value ?dataValue ."
+            + "}\n"
+            + "WHERE {\n"
+            + "  GRAPH <http://vitro.mannlib.cornell.edu/default/access-control> {\n"
+            + "    ?valueSetTemplateUri access:relatedCheck ?relatedCheck .\n"
+            + "    ?valueSetTemplateUri access:containsElementsOfType ?setElementsType .\n"
+            + "    OPTIONAL {\n"
+            + "      ?valueSetTemplateUri access:value ?dataValue .\n"
+            + "    }\n"
+            + "    OPTIONAL {\n"
+            + "      FILTER ( str(?setElementsType) = 'https://vivoweb.org/ontology/vitro-application/auth/individual/SubjectRole' )\n"
+            + "      BIND(?role as ?newRoleUri)\n"
+            + "    }"
+            + "  }"
+            + "}\n";
+
+    private RDFService rdfService;
+    public static final String RULE = "rule";
+    public static final String LITERAL_VALUE = "lit_value";
+    public static final String ATTR_VALUE = "value";
+    public static final String CHECK = "check";
+    public static final String TEST_ID = "testId";
+    public static final String TYPE_ID = "typeId";
+    private static PolicyLoader INSTANCE;
+
+    public static PolicyLoader getInstance() {
+        return INSTANCE;
+    }
+
+    private PolicyLoader(RDFService rdfs) {
+        this.rdfService = rdfs;
+    }
+
+    public static void initialize(RDFService rdfService) {
+        INSTANCE = new PolicyLoader(rdfService);
+    }
+
+    public void loadPolicies() {
+        List<String> policyUris = getPolicyUris();
+        for (String uri : policyUris) {
+            debug("Loading policy %s", uri);
+            Set<DynamicPolicy> policies = loadPolicies(uri);
+            for (DynamicPolicy policy : policies) {
+                PolicyStore.getInstance().add(policy);
+                log.info("Loaded policy " + policy.getUri());
+            }
+        }
+    }
+
+    public List<String> getPolicyUris() {
+        debug("SPARQL Query to get policy uris from the graph:\n %s", POLICY_QUERY);
+        List<String> policyUris = new LinkedList<String>();
+        try {
+            rdfService.sparqlSelectQuery(POLICY_QUERY, new ResultSetConsumer() {
+                @Override
+                protected void processQuerySolution(QuerySolution qs) {
+                    if (!qs.contains(POLICY) || !qs.get(POLICY).isResource()) {
+                        // debug("Policy solution doesn't contain policy
+                        // resource");
+                        return;
+                    }
+                    policyUris.add(qs.getResource(POLICY).getURI());
+                }
+            });
+        } catch (RDFServiceException e) {
+            log.error(e, e);
+        }
+
+        return policyUris;
+    }
+
+    public Set<DynamicPolicy> loadPolicies(String uri) {
+        Set<DynamicPolicy> policies = new HashSet<>();
+        List<String> dataSetNames = getDataSetNames(uri);
+        if (dataSetNames.isEmpty()) {
+            Map<String, AccessRule> rules = new HashMap<>();
+            try {
+                loadRulesWithoutDataSet(uri, rules);
+            } catch (Exception e) {
+                log.info(String.format("Policy '%s' failed to load ", uri));
+                log.debug(e, e);
+            }
+            if (!rules.isEmpty()) {
+                long priority = getPriority(uri);
+                DynamicPolicy policy = new DynamicPolicy(uri, priority);
+                policy.addRules(rules.values());
+                policies.add(policy);
+            }
+        } else {
+            for (String dataSetName : dataSetNames) {
+                DynamicPolicy policy = loadPolicyFromTemplateDataSet(dataSetName);
+                if (policy != null) {
+                    policies.add(policy);
+                }
+            }
+        }
+
+        return policies;
+    }
+
+    public DynamicPolicy loadPolicyFromTemplateDataSet(String dataSetUri) {
+        Map<String, AccessRule> rules = new HashMap<>();
+        long priority = getPriorityFromDataSet(dataSetUri);
+        try {
+            loadRulesForDataSet(rules, dataSetUri);
+        } catch (Exception e) {
+            log.debug(String.format("Policy template dataset '%s' failed to load ", dataSetUri));
+            log.debug(e, e);
+            return null;
+        }
+        if (rules.isEmpty()) {
+            return null;
+        }
+        DynamicPolicy policy = new DynamicPolicy(dataSetUri, priority);
+        policy.addRules(rules.values());
+        return policy;
+    }
+
+    private long getPriorityFromDataSet(String dataSetUri) {
+        ParameterizedSparqlString pss = new ParameterizedSparqlString(DATASET_PRIORITY_QUERY);
+        pss.setIri("dataSet", dataSetUri);
+        debug("Get priority for dataset uri %s query:\n %s", dataSetUri, pss.toString());
+        long[] priority = new long[1];
+        try {
+            rdfService.sparqlSelectQuery(pss.toString(), new ResultSetConsumer() {
+                @Override
+                protected void processQuerySolution(QuerySolution qs) {
+                    if (!qs.contains(PRIORITY) || !qs.get(PRIORITY).isLiteral()) {
+                        priority[0] = 0L;
+                        return;
+                    }
+                    priority[0] = qs.getLiteral(PRIORITY).getLong();
+                }
+            });
+        } catch (RDFServiceException e) {
+            log.error(e, e);
+        }
+        return priority[0];
+    }
+
+    public Set<String> getDataSetValues(AccessOperation ao, AccessObjectType aot, String role) {
+        Set<String> values = new HashSet<>();
+        long expectedSize = 3;
+        String queryText = getDataSetByKeyQuery(new String[] {},
+                new String[] { ao.toString(), aot.toString(), role });
+        ParameterizedSparqlString pss = new ParameterizedSparqlString(queryText);
+        pss.setLiteral("setElementsId", aot.toString());
+        queryText = pss.toString();
+        debug("SPARQL Query to get policy data set values:\n %s", queryText);
+        try {
+            rdfService.sparqlSelectQuery(queryText, new ResultSetConsumer() {
+                @Override
+                protected void processQuerySolution(QuerySolution qs) {
+                    if (!qs.contains(POLICY) || !qs.contains("keySize") || !qs.get("keySize").isLiteral()) {
+                        return;
+                    }
+                    long keySize = qs.getLiteral("keySize").getLong();
+                    if (expectedSize != keySize) {
+                        return;
+                    }
+                    if (qs.contains("valueId") && qs.get("valueId").isLiteral()) {
+                        values.add(qs.getLiteral("valueId").getString());
+                    } else if (qs.contains("value")) {
+                        RDFNode node = qs.get("value");
+                        if (node.isLiteral()) {
+                            values.add(node.asLiteral().toString());
+                        } else if (node.isResource()) {
+                            values.add(node.asResource().getURI());
+                        }
+                    }
+                }
+            });
+        } catch (RDFServiceException e) {
+            log.error(e, e);
+        }
+        return values;
+    }
+
+    public String getEntityValueSetUri(AccessOperation ao, AccessObjectType aot, String role) {
+        long expectedSize = 3;
+        String queryText = getDataSetByKeyQuery(new String[] { }, new String[] { ao.toString(), aot.toString(), role });
+        ParameterizedSparqlString pss = new ParameterizedSparqlString(queryText);
+        pss.setLiteral("setElementsId", aot.toString());
+        queryText = pss.toString();
+        debug("SPARQL Query to get entity value set uri:\n %s", queryText);
+        String[] uri = new String[1];
+        try {
+            rdfService.sparqlSelectQuery(queryText, new ResultSetConsumer() {
+                @Override
+                protected void processQuerySolution(QuerySolution qs) {
+                    if (!qs.contains("dataSet") || !qs.get("dataSet").isResource() || !qs.contains("keySize")
+                            || !qs.get("keySize").isLiteral()) {
+                        return;
+                    }
+                    long keySize = qs.getLiteral("keySize").getLong();
+                    if (expectedSize != keySize) {
+                        log.error("wrong key size. Expected " + expectedSize + ". Actual " + keySize );
+                        return;
+                    }
+                    uri[0] = qs.getResource("valueSet").getURI();
+                }
+            });
+        } catch (RDFServiceException e) {
+            log.error(e, e);
+        }
+        return uri[0];
+    }
+
+    public void modifyPolicyDataSetValue(String entityUri, AccessOperation ao, AccessObjectType aot, String role,
+            boolean isAdd) {
+        String queryText = getPolicyDataSetValueStatementByKeyQuery(entityUri, new String[] { },
+                new String[] { ao.toString(), aot.toString(), role });
+        ParameterizedSparqlString pss = new ParameterizedSparqlString(queryText);
+        pss.setLiteral("setElementsType", aot.toString());
+        queryText = pss.toString();
+        debug("SPARQL Query to get policy data set values:\n %s", queryText);
+        Model m = VitroModelFactory.createModel();
+        try {
+            rdfService.sparqlConstructQuery(queryText, m);
+        } catch (RDFServiceException e) {
+            log.error(e, e);
+        }
+        if (m.isEmpty()) {
+            log.debug("statements to add/delete are empty");
+            return;
+        }
+        updateAccessControlModel(m, isAdd);
+    }
+
+    void updateAccessControlModel(Model data, boolean isAdd) {
+        StringWriter sw = new StringWriter();
+        data.write(sw, "TTL");
+        updateAccessControlModel(sw.toString(), isAdd);
+    }
+
+    public void updateAccessControlModel(String data, boolean isAdd) {
+        if (StringUtils.isBlank(data)) {
+            log.debug("String to update is empty");
+            return;
+        }
+
+        try {
+            ChangeSet changeSet = makeChangeSet();
+            InputStream in = new ByteArrayInputStream(data.getBytes());
+            debug(modelToString(data, isAdd));
+            if (isAdd) {
+                changeSet.addAddition(in, ModelSerializationFormat.N3, ModelNames.ACCESS_CONTROL);
+            } else {
+                changeSet.addRemoval(in, ModelSerializationFormat.N3, ModelNames.ACCESS_CONTROL);
+            }
+            rdfService.changeSetUpdate(changeSet);
+        } catch (RDFServiceException e) {
+            String message = modelToString(data, isAdd);
+            log.error(message);
+            log.error(e, e);
+        }
+    }
+
+    private String modelToString(String ruleData, boolean isAdd) {
+        String message = (isAdd ? "Adding to" : "Removing from") + " access control model \n" + ruleData;
+        return message;
+    }
+
+    private static String getPolicyDataSetValueStatementByKeyQuery(String entityUri, String[] uris, String[] ids) {
+        StringBuilder query = new StringBuilder();
+        query.append(String.format(policyStatementByKeyTemplatePrefix, entityUri));
+        for (String uri : uris) {
+            query.append(String.format("  ?dataSetKeyUri access:hasKeyComponent <%s> . \n", uri));
+        }
+        int i = 0;
+        for (String id : ids) {
+            query.append(String.format("  ?dataSetKeyUri access:hasKeyComponent ?uri%d . ?uri%d access:id \"%s\" . \n",
+                    i, i, id));
+            i++;
+        }
+        query.append(policyStatementByKeyTemplateSuffix);
+        return query.toString();
+    }
+
+    private static String getDataSetByKeyQuery(String[] uris, String[] ids) {
+        StringBuilder query = new StringBuilder(policyKeyTemplatePrefix);
+        for (String uri : uris) {
+            query.append(String.format("  ?dataSetKeyUri access:hasKeyComponent <%s> . \n", uri));
+        }
+        int i = 0;
+        for (String id : ids) {
+            query.append(String.format(
+                    "  ?dataSetKeyUri access:hasKeyComponent ?uri%d .\n  ?uri%d access:id \"%s\" . \n", i, i, id));
+            i++;
+        }
+        query.append(policyKeyTemplateSuffix);
+        return query.toString();
+    }
+
+    private long getPriority(String uri) {
+        ParameterizedSparqlString pss = new ParameterizedSparqlString(PRIORITY_QUERY);
+        pss.setIri(POLICY, uri);
+        debug("Get priority for uri %s query:\n %s", uri, pss.toString());
+        long[] priority = new long[1];
+        try {
+            rdfService.sparqlSelectQuery(pss.toString(), new ResultSetConsumer() {
+                @Override
+                protected void processQuerySolution(QuerySolution qs) {
+                    if (!qs.contains(PRIORITY) || !qs.get(PRIORITY).isLiteral()) {
+                        priority[0] = 0L;
+                        return;
+                    }
+                    priority[0] = qs.getLiteral(PRIORITY).getLong();
+                }
+            });
+        } catch (RDFServiceException e) {
+            log.error(e, e);
+        }
+        return priority[0];
+    }
+
+    private void loadRulesWithoutDataSet(String policyUri, Map<String, AccessRule> rules) throws Exception {
+        ParameterizedSparqlString pss = new ParameterizedSparqlString(NO_DATASET_RULES_QUERY);
+        pss.setIri(POLICY, policyUri);
+        debug(pss.toString());
+        Exception ex[] = new Exception[1];
+        try {
+            rdfService.sparqlSelectQuery(pss.toString(), new ResultSetConsumer() {
+                @Override
+                protected void processQuerySolution(QuerySolution qs) {
+                    try {
+                        if (isInvalidPolicySolution(qs)) {
+                            throw new Exception();
+                        }
+                        if (isRuleContinues(rules, qs)) {
+                            String ruleUri = qs.getResource("rule").getURI();
+                            populateRule(rules.get(ruleUri), qs, null);
+                        } else {
+                            AccessRule rule = AccessRuleFactory.createRule(qs);
+                            rules.put(rule.getRuleUri(), rule);
+                        }
+                    } catch (Exception e) {
+                        ex[0] = e;
+                    }
+                }
+            });
+        } catch (RDFServiceException e) {
+            log.error(e, e);
+        }
+        if (ex[0] != null) {
+            rules.clear();
+            throw ex[0];
+        }
+        if (!rules.isEmpty()) {
+            debug("Loaded %s rules for %s policy\n", rules.size(), policyUri);
+        } else {
+            debug("No rules loaded from the user accounts model for %s policy.\n", policyUri);
+        }
+    }
+
+    private void loadRulesForDataSet(Map<String, AccessRule> rules, String dataSetUri) throws Exception {
+        AttributeValueKey dataSetKey = getDataSetKey(dataSetUri);
+        ParameterizedSparqlString pss = new ParameterizedSparqlString(DATASET_RULES_QUERY);
+        pss.setIri("dataSet", dataSetUri);
+        debug(pss.toString());
+        Exception ex[] = new Exception[1];
+        try {
+            rdfService.sparqlSelectQuery(pss.toString(), new ResultSetConsumer() {
+                @Override
+                protected void processQuerySolution(QuerySolution qs) {
+                    try {
+                        if (isInvalidPolicySolution(qs)) {
+                            throw new Exception();
+                        }
+                        if (isRuleContinues(rules, qs)) {
+                            String ruleUri = qs.getResource("rule").getURI();
+                            populateRule(rules.get(ruleUri), qs, dataSetKey);
+                        } else {
+                            AccessRule rule = AccessRuleFactory.createRule(qs, dataSetKey);
+                            rules.put(rule.getRuleUri(), rule);
+                        }
+                    } catch (Exception e) {
+                        ex[0] = e;
+                    }
+                }
+            });
+        } catch (RDFServiceException e) {
+            log.error(e, e);
+        }
+        if (ex[0] != null) {
+            rules.clear();
+            throw ex[0];
+        }
+        if (!rules.isEmpty()) {
+            debug("Loaded %s rules for %s dataset\n", rules.size(), dataSetUri);
+        } else {
+            debug("No rules loaded from access control model for %s dataset.\n", dataSetUri);
+        }
+    }
+
+    private List<String> getDataSetNames(String policyUri) {
+        List<String> result = new ArrayList<>();
+        ParameterizedSparqlString pss = new ParameterizedSparqlString(DATASET_QUERY);
+        pss.setIri(POLICY, policyUri);
+        try {
+            rdfService.sparqlSelectQuery(pss.toString(), new ResultSetConsumer() {
+                @Override
+                protected void processQuerySolution(QuerySolution qs) {
+                    if (qs.contains("dataSet")) {
+                        RDFNode dataSet = qs.get("dataSet");
+                        if (dataSet.isResource()) {
+                            result.add(dataSet.asResource().getURI());
+                        }
+                    }
+                }
+            });
+        } catch (RDFServiceException e) {
+            log.error(e, e);
+        }
+        return result;
+    }
+
+    private void debugSelectQueryResults(ResultSet rs) {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        ResultSetFormatter.outputAsJSON(baos, rs);
+        String json = new String(baos.toByteArray());
+        debug(json);
+    }
+
+    private static boolean isRuleContinues(Map<String, AccessRule> rules, QuerySolution qs) {
+        if (rules == null) {
+            return false;
+        }
+        String ruleUri = qs.getResource("rule").getURI();
+        return rules.containsKey(ruleUri);
+    }
+
+    private static void populateRule(AccessRule ar, QuerySolution qs, AttributeValueKey dataSetKey) throws Exception {
+        if (ar == null) {
+            return;
+        }
+        String checkUri = qs.getResource("check").getURI();
+        if (ar.containsCheckUri(checkUri)) {
+            CheckFactory.extendAttribute(ar.getCheck(checkUri), qs);
+            return;
+        }
+        try {
+            ar.addCheck(CheckFactory.createCheck(qs, dataSetKey));
+        } catch (Exception e) {
+            log.error(e, e);
+        }
+    }
+
+    private static boolean isInvalidPolicySolution(QuerySolution qs) {
+        if (!qs.contains("policyUri") || !qs.get("policyUri").isResource()) {
+            log.debug("Query solution doesn't contain policy uri");
+            return true;
+        }
+        String policy = qs.get("policyUri").asResource().getURI();
+        if (!qs.contains("rule") || !qs.get("rule").isResource()) {
+            log.debug(String.format("Query solution for policy <%s> doesn't contain rule uri", policy));
+            return true;
+        }
+        String rule = qs.get("rule").asResource().getLocalName();
+        if (!qs.contains("check") || !qs.get("check").isResource()) {
+            log.debug(String.format("Query solution for policy <%s> doesn't contain check uri", policy));
+            return true;
+        }
+        String check = qs.get("check").asResource().getLocalName();
+        if (!qs.contains("value")) {
+            log.debug(String.format("Query solution for policy <%s> rule %s check %s doesn't contain value", policy,
+                    rule, check));
+            return true;
+        }
+        if (!qs.contains("typeId") || !qs.get("typeId").isLiteral()) {
+            log.debug(String.format("Query solution for policy <%s> doesn't contain check type id", policy));
+            return true;
+        }
+        if (!qs.contains("testId") || !qs.get("testId").isLiteral()) {
+            log.debug(String.format("Query solution for policy <%s> doesn't contain check test id", policy));
+            return true;
+        }
+        return false;
+    }
+
+    private static void debug(String template, Object... objects) {
+        if (log.isDebugEnabled()) {
+            log.debug(String.format(template, objects));
+        }
+    }
+
+    public void addEntityToPolicyDataSet(String entityUri, AccessObjectType aot, AccessOperation ao, String role) {
+        modifyPolicyDataSetValue(entityUri, ao, aot, role, true);
+    }
+
+    public void removeEntityFromPolicyDataSet(String entityUri, AccessObjectType aot, AccessOperation ao, String role) {
+        modifyPolicyDataSetValue(entityUri, ao, aot, role, false);
+    }
+
+    private ChangeSet makeChangeSet() {
+        ChangeSet cs = rdfService.manufactureChangeSet();
+        cs.addPreChangeEvent(new BulkUpdateEvent(null, true));
+        cs.addPostChangeEvent(new BulkUpdateEvent(null, false));
+        return cs;
+    }
+
+    public String getDataSetUriByKey(String[] uris, String[] ids) {
+        long expectedSize = uris.length + ids.length;
+        final String queryText = getDataSetByKeyQuery(uris, ids);
+        debug("SPARQL Query to get policy data set values:\n %s", queryText);
+        String[] uri = new String[1];
+        try {
+            rdfService.sparqlSelectQuery(queryText, new ResultSetConsumer() {
+                @Override
+                protected void processQuerySolution(QuerySolution qs) {
+                    if (!qs.contains("dataSet") || !qs.get("dataSet").isResource() || !qs.contains("keySize")
+                            || !qs.get("keySize").isLiteral()) {
+                        return;
+                    }
+                    long keySize = qs.getLiteral("keySize").getLong();
+                    if (expectedSize != keySize) {
+                        return;
+                    }
+                    uri[0] = qs.getResource("dataSet").getURI();
+                }
+            });
+        } catch (RDFServiceException e) {
+            log.error(e, e);
+        }
+        return uri[0];
+    }
+
+    public AttributeValueKey getDataSetKey(String dataSetUri) {
+        AttributeValueKey compositeKey = new AttributeValueKey();
+        ParameterizedSparqlString pss = new ParameterizedSparqlString(DATA_SET_KEY_QUERY);
+        pss.setIri("dataSet", dataSetUri);
+        final String queryText = pss.toString();
+        debug("SPARQL Query to get data set key:\n %s", queryText);
+        try {
+            rdfService.sparqlSelectQuery(queryText, new ResultSetConsumer() {
+                @Override
+                protected void processQuerySolution(QuerySolution qs) {
+                    String keyComponent = qs.getResource("keyComponent").getURI();
+                    if (qs.contains("id") && qs.get("id").isLiteral()) {
+                        String id = qs.getLiteral("id").getString();
+                        if (qs.contains("type") && qs.get("type").isLiteral()) {
+                            String type = qs.getLiteral("type").getString();
+                            if (Attribute.OPERATION.toString().equals(type)) {
+                                compositeKey.setOperation(AccessOperation.valueOf(id));
+                            }
+                            if (Attribute.ACCESS_OBJECT_TYPE.toString().equals(type)) {
+                                compositeKey.setObjectType(AccessObjectType.valueOf(id));
+                            }
+                            if (Attribute.SUBJECT_ROLE_URI.toString().equals(type)) {
+                                compositeKey.setRole(id);
+                            }
+                        }
+                    } else {
+                        //assume keyComponent is a role
+                        compositeKey.setRole(keyComponent);
+                    }
+                }
+            });
+        } catch (RDFServiceException e) {
+            log.error(e, e);
+        }
+        return compositeKey;
+    }
+
+    public Map<String, String> getRoleDataSetTemplates() {
+        Map<String, String> dataSetTemplates = new HashMap<>();
+        long expectedSize = 1;
+        final String queryText = DATA_SET_TEMPLATES_QUERY;
+        debug("SPARQL Query to get data set templates:\n %s", queryText);
+        try {
+            rdfService.sparqlSelectQuery(queryText, new ResultSetConsumer() {
+                @Override
+                protected void processQuerySolution(QuerySolution qs) {
+                    if (!qs.contains("keySize") || !qs.get("keySize").isLiteral()) {
+                        return;
+                    }
+                    long keySize = qs.getLiteral("keySize").getLong();
+                    if (expectedSize != keySize) {
+                        return;
+                    }
+                    if (!qs.contains("dataSetTemplate") || !qs.get("dataSetTemplate").isResource()) {
+                        return;
+                    }
+                    if (!qs.contains("policyTemplate") || !qs.get("policyTemplate").isResource()) {
+                        return;
+                    }
+                    dataSetTemplates.put(qs.getResource("dataSetTemplate").getURI(),
+                            qs.getResource("policyTemplate").getURI());
+                }
+            });
+        } catch (RDFServiceException e) {
+            log.error(e, e);
+        }
+        return dataSetTemplates;
+    }
+
+    public List<String> getDataSetKeysFromTemplate(String templateUri) {
+        List<String> dataSetKeys = new LinkedList<>();
+        ParameterizedSparqlString pss = new ParameterizedSparqlString(DATA_SET_KEY_TEMPLATE_QUERY);
+        pss.setIri("dataSetTemplate", templateUri);
+        final String queryText = pss.toString();
+        debug("SPARQL Query to get data set templates:\n %s", queryText);
+        try {
+            rdfService.sparqlSelectQuery(queryText, new ResultSetConsumer() {
+                @Override
+                protected void processQuerySolution(QuerySolution qs) {
+                    if (qs.contains("keyComponent") && qs.get("keyComponent").isResource()) {
+                        dataSetKeys.add(qs.getResource("keyComponent").getURI());
+                    }
+                }
+            });
+        } catch (RDFServiceException e) {
+            log.error(e, e);
+        }
+        return dataSetKeys;
+    }
+
+    public List<String> getDataSetKeyTemplatesFromTemplate(String templateUri) {
+        List<String> dataSetDraftKeys = new LinkedList<>();
+        ParameterizedSparqlString pss = new ParameterizedSparqlString(DATA_SET_KEY_TEMPLATES_TEMPLATE_QUERY);
+        pss.setIri("dataSetTemplate", templateUri);
+        final String queryText = pss.toString();
+        debug("SPARQL Query to get data set templates:\n %s", queryText);
+        try {
+            rdfService.sparqlSelectQuery(queryText, new ResultSetConsumer() {
+                @Override
+                protected void processQuerySolution(QuerySolution qs) {
+                    if (qs.contains("keyComponentTemplate") && qs.get("keyComponentTemplate").isResource()) {
+                        dataSetDraftKeys.add(qs.getResource("keyComponentTemplate").getURI());
+                    }
+                }
+            });
+        } catch (RDFServiceException e) {
+            log.error(e, e);
+        }
+        return dataSetDraftKeys;
+    }
+
+    public List<String> getDataSetValuesFromTemplate(String templateUri) {
+        List<String> valueSets = new LinkedList<>();
+        ParameterizedSparqlString pss = new ParameterizedSparqlString(DATA_SET_VALUE_TEMPLATE_QUERY);
+        pss.setIri("dataSetTemplate", templateUri);
+        final String queryText = pss.toString();
+        debug("SPARQL Query to get data set values from data set template:\n %s", queryText);
+        try {
+            rdfService.sparqlSelectQuery(queryText, new ResultSetConsumer() {
+                @Override
+                protected void processQuerySolution(QuerySolution qs) {
+                    if (qs.contains("valueSet") && qs.get("valueSet").isResource()) {
+                        valueSets.add(qs.getResource("valueSet").getURI());
+                    }
+                }
+            });
+        } catch (RDFServiceException e) {
+            log.error(e, e);
+        }
+        return valueSets;
+    }
+
+    public List<String> getDataSetValueTemplatesFromTemplate(String templateUri) {
+        List<String> valueSetTemplates = new LinkedList<>();
+        ParameterizedSparqlString pss =
+                new ParameterizedSparqlString(DATA_SET_VALUE_SET_TEMPLATES_TEMPLATE_QUERY);
+        pss.setIri("dataSetTemplate", templateUri);
+        final String queryText = pss.toString();
+        debug("SPARQL Query to get data set value set templates from data set template:\n %s", queryText);
+        try {
+            rdfService.sparqlSelectQuery(queryText, new ResultSetConsumer() {
+                @Override
+                protected void processQuerySolution(QuerySolution qs) {
+                    if (qs.contains("valueSetTemplate") && qs.get("valueSetTemplate").isResource()) {
+                        valueSetTemplates.add(qs.getResource("valueSetTemplate").getURI());
+                    }
+                }
+            });
+        } catch (RDFServiceException e) {
+            log.error(e, e);
+        }
+        return valueSetTemplates;
+    }
+
+    public void constructValueSet(String valueSetTemplateUri, String valueSet, String role,
+            Model dataSetModel) {
+        ParameterizedSparqlString pss = new ParameterizedSparqlString(CONSTRUCT_VALUE_SET_QUERY);
+        pss.setIri("valueSetTemplateUri", valueSetTemplateUri);
+        pss.setIri("valueSet", valueSet);
+        pss.setIri("role", role);
+        debug("SPARQL Construct Query to create value set \n %s", pss.toString());
+        try {
+            rdfService.sparqlConstructQuery(pss.toString(), dataSetModel);
+        } catch (RDFServiceException e) {
+            log.error(e, e);
+        }
+    }
+
+    public List<String> getSubjectRoleValuePattern(String roleUri) {
+        List<String> rolePatterns = new LinkedList<>();
+        ParameterizedSparqlString pss =
+                new ParameterizedSparqlString(ROLE_VALUE_PATTERNS_QUERY);
+        pss.setLiteral("roleUri", roleUri);
+        final String queryText = pss.toString();
+        debug("SPARQL Query to get uri of role value patterns:\n %s", queryText);
+        try {
+            rdfService.sparqlSelectQuery(queryText, new ResultSetConsumer() {
+                @Override
+                protected void processQuerySolution(QuerySolution qs) {
+                    if (qs.contains("rolePattern") && qs.get("rolePattern").isResource()) {
+                        rolePatterns.add(qs.getResource("rolePattern").getURI());
+                    }
+                }
+            });
+        } catch (RDFServiceException e) {
+            log.error(e, e);
+        }
+        return rolePatterns;
+    }
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyStore.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyStore.java
new file mode 100644
index 0000000000..bb00eda4de
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyStore.java
@@ -0,0 +1,99 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.CopyOnWriteArrayList;
+
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Policy;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class PolicyStore implements Policies {
+
+    private static final Comparator<Policy> comparator = getPolicyComparator();
+    private static PolicyStore INSTANCE = new PolicyStore();
+    private static final Log log = LogFactory.getLog(PolicyStore.class);
+
+    private PolicyStore() {
+        INSTANCE = this;
+    }
+
+    public static PolicyStore getInstance() {
+        return INSTANCE;
+    }
+
+    protected List<Policy> policyList = new CopyOnWriteArrayList<>();
+    protected Map<String, Policy> policyMap = new ConcurrentHashMap<>();
+
+    @Override
+    public boolean contains(Policy policy) {
+        return policyList.contains(policy);
+    }
+
+    @Override
+    public synchronized void remove(String policyUri) {
+        Policy oldPolicy = policyMap.get(policyUri);
+        if (oldPolicy != null) {
+            policyList.remove(oldPolicy);
+        }
+        policyMap.remove(policyUri);
+    }
+
+    @Override
+    public synchronized void add(Policy policy) {
+        if (policy == null) {
+            log.error("Policy to add is null");
+            return;
+        }
+        Policy oldPolicy = policyMap.put(policy.getUri(), policy);
+        if (oldPolicy != null) {
+            policyList.remove(oldPolicy);
+        }
+        policyList.add(policy);
+        Collections.sort(policyList, comparator);
+    }
+
+    @Override
+    public synchronized void clear() {
+        policyList.clear();
+        policyMap.clear();
+    }
+
+    public List<String> getShortUris() {
+        List<String> uris = new LinkedList<>();
+        for (Policy policy : policyList) {
+            uris.add(policy.getShortUri());
+        }
+        return uris;
+    }
+
+    private static Comparator<Policy> getPolicyComparator() {
+        return new Comparator<Policy>() {
+            @Override
+            public int compare(Policy lps, Policy rps) {
+                if (lps.getPriority() > rps.getPriority()) {
+                    return -1;
+                } else if (lps.getPriority() < rps.getPriority()) {
+                    return 1;
+                }
+                return lps.getUri().compareTo(lps.getUri());
+            }
+        };
+    }
+
+    @Override
+    public List<Policy> getList() {
+        return policyList;
+    }
+
+    @Override
+    public long size() {
+        return policyList.size();
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyTemplateController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyTemplateController.java
new file mode 100644
index 0000000000..46562890b3
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyTemplateController.java
@@ -0,0 +1,125 @@
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.AUTH_INDIVIDUAL_PREFIX;
+import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.AUTH_VOCABULARY_PREFIX;
+import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.RDF_TYPE;
+
+import java.util.List;
+import java.util.Map;
+
+import edu.cornell.mannlib.vitro.webapp.rdfservice.adapters.VitroModelFactory;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.jena.rdf.model.Model;
+import org.apache.jena.rdf.model.impl.StatementImpl;
+
+public class PolicyTemplateController {
+
+    private static final Log log = LogFactory.getLog(PolicyTemplateController.class);
+    public static void createRoleDataSets(String roleUri) {
+
+        // Execute sparql query to get all data set templates that have ao:hasTemplateKeyComponent
+        // access-individual:SubjectRole .
+        Map<String, String> templates = PolicyLoader.getInstance().getRoleDataSetTemplates();
+        for (String templateUri : templates.keySet()) {
+            createRoleDataSet(templateUri, roleUri, templates.get(templateUri));
+        }
+    }
+
+    private static void createRoleDataSet(String dataSetTemplateUri, String roleUri, String dataSetsUri) {
+        String role = getRoleShortName(roleUri);
+        String dataSetUri = getUriFromTemplate(dataSetTemplateUri, role);
+        String dataSetKeyUri = dataSetUri + "Key";
+        // TODO: Check uri doesn't exists in access control graph
+        PolicyLoader policyLoader = PolicyLoader.getInstance();
+        List<String> keys = policyLoader.getDataSetKeysFromTemplate(dataSetTemplateUri);
+        List<String> keyTemplates = policyLoader.getDataSetKeyTemplatesFromTemplate(dataSetTemplateUri);
+
+        Model dataSetModel = VitroModelFactory.createModel();
+
+        for (String keyTemplate : keyTemplates) {
+            if (keyTemplate.equals(AUTH_INDIVIDUAL_PREFIX + "SubjectRole")) {
+                String roleKeyUri = null;
+                List<String> roleValuePatterns = PolicyLoader.getInstance().getSubjectRoleValuePattern(roleUri);
+                if (roleValuePatterns.isEmpty()) {
+                    roleKeyUri = createSubjectRoleUri(roleUri, dataSetModel);
+                } else {
+                    roleKeyUri = roleValuePatterns.get(0);
+                }
+                keys.add(roleKeyUri);
+            } else {
+                log.error(String.format("Not recognized key template found '%s'", keyTemplate));
+                return;
+            }
+        }
+        // Add ?dataSets ao:hasDataSet dataSetUri .
+        dataSetModel.add(new StatementImpl(dataSetModel.createResource(dataSetsUri),
+                dataSetModel.createProperty(AUTH_VOCABULARY_PREFIX + "hasDataSet"),
+                dataSetModel.createResource(dataSetUri)));
+
+        dataSetModel.add(new StatementImpl(dataSetModel.createResource(dataSetUri),
+                dataSetModel.createProperty(RDF_TYPE),
+                dataSetModel.createResource(AUTH_VOCABULARY_PREFIX + "PolicyDataSet")));
+
+        dataSetModel.add(new StatementImpl(dataSetModel.createResource(dataSetUri),
+                dataSetModel.createProperty(AUTH_VOCABULARY_PREFIX + "hasDataSetKey"),
+                dataSetModel.createResource(dataSetKeyUri)));
+
+        for (String key : keys) {
+            dataSetModel.add(new StatementImpl(dataSetModel.createResource(dataSetKeyUri),
+                    dataSetModel.createProperty(AUTH_VOCABULARY_PREFIX + "hasKeyComponent"),
+                    dataSetModel.createResource(key)));
+        }
+
+        List<String> valueSetUris = policyLoader.getDataSetValuesFromTemplate(dataSetTemplateUri);
+        for (String valueSetUri : valueSetUris) {
+            // Add ?dataSetUri ao:hasRelatedValueSet ?valueSetUri .
+            dataSetModel.add(new StatementImpl(dataSetModel.createResource(dataSetUri),
+                    dataSetModel.createProperty(AUTH_VOCABULARY_PREFIX + "hasRelatedValueSet"),
+                    dataSetModel.createResource(valueSetUri)));
+        }
+
+        List<String> valueSetTemplateUris = policyLoader.getDataSetValueTemplatesFromTemplate(dataSetTemplateUri);
+
+        for (String valueSetTemplateUri : valueSetTemplateUris) {
+            String valueSetUri = getUriFromTemplate(valueSetTemplateUri, role);
+            dataSetModel.add(new StatementImpl(dataSetModel.createResource(dataSetUri),
+                    dataSetModel.createProperty(AUTH_VOCABULARY_PREFIX + "hasRelatedValueSet"),
+                    dataSetModel.createResource(valueSetUri)));
+
+            policyLoader.constructValueSet(valueSetTemplateUri, valueSetUri, roleUri, dataSetModel);
+            // TODO: Check uri doesn't exists in access control graph
+            // If value set template is subject role, then role uri should be added to the set
+        }
+        policyLoader.updateAccessControlModel(dataSetModel, true);
+    }
+
+    public static String createSubjectRoleUri(String roleUri, Model dataSetModel) {
+        String roleShortName = getRoleShortName(roleUri);
+        String roleValueSetUri = AUTH_INDIVIDUAL_PREFIX + roleShortName + "RoleUri";
+        dataSetModel.add(new StatementImpl(dataSetModel.createResource(roleValueSetUri),
+                dataSetModel.createProperty(AUTH_VOCABULARY_PREFIX + "id"),
+                dataSetModel.createLiteral(roleUri)));
+        dataSetModel.add(new StatementImpl(dataSetModel.createResource(roleValueSetUri),
+                dataSetModel.createProperty(RDF_TYPE),
+                dataSetModel.createResource(AUTH_VOCABULARY_PREFIX + "SubjectRoleUri")));
+        return roleValueSetUri;
+    }
+
+    private static String getRoleShortName(String roleUri) {
+        String slashSplit = roleUri.substring(roleUri.lastIndexOf('/') + 1);
+        String hashSplit = slashSplit.substring(slashSplit.lastIndexOf('#') + 1);
+        return Character.toUpperCase(hashSplit.charAt(0)) + hashSplit.substring(1).toLowerCase();
+    }
+
+    private static String getUriFromTemplate(String templateUri, String name) {
+        String templatePrefix = templateUri.substring(0, templateUri.lastIndexOf('/') + 1);
+        String templateName = templateUri.substring(templateUri.lastIndexOf('/') + 1);
+        int index = templateName.lastIndexOf("Template");
+        if (templateName.endsWith("Template") && index > 0) {
+            templateName = templateName.substring(0, index);
+        }
+        return templatePrefix + name + templateName;
+    }
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/RequestPolicyList.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/RequestPolicyList.java
deleted file mode 100644
index c077daac50..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/RequestPolicyList.java
+++ /dev/null
@@ -1,71 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy;
-
-import javax.servlet.ServletContext;
-import javax.servlet.ServletRequest;
-import javax.servlet.http.HttpServletRequest;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
-
-/**
- * Allow us to store policies in a Request, in addition to those in the
- * ServletContext
- */
-public class RequestPolicyList extends PolicyList {
-	private static final String ATTRIBUTE_POLICY_ADDITIONS = RequestPolicyList.class
-			.getName();
-	private static final Log log = LogFactory.getLog(RequestPolicyList.class);
-
-	/**
-	 * Get a copy of the current list of policies. This includes the policies in
-	 * the ServletContext, followed by any stored in the request. This method may
-	 * return an empty list, but it never returns null.
-	 */
-	public static PolicyList getPolicies(HttpServletRequest request) {
-		ServletContext ctx = request.getSession().getServletContext();
-
-		PolicyList list = ServletPolicyList.getPolicies(ctx);
-		list.addAll(getPoliciesFromRequest(request));
-		return list;
-	}
-
-	public static void addPolicy(ServletRequest request, PolicyIface policy) {
-		PolicyList policies = getPoliciesFromRequest(request);
-		if (!policies.contains(policy)) {
-			policies.add(policy);
-			log.debug("Added policy: " + policy.toString());
-		} else {
-			log.warn("Ignored attempt to add redundent policy.");
-		}
-	}
-
-	/**
-	 * Get the current list of policy additions from the request, or create one
-	 * if there is none. This method may return an empty list, but it never
-	 * returns null.
-	 */
-	private static PolicyList getPoliciesFromRequest(ServletRequest request) {
-		if (request == null) {
-			throw new NullPointerException("request may not be null.");
-		}
-
-		Object obj = request.getAttribute(ATTRIBUTE_POLICY_ADDITIONS);
-		if (obj == null) {
-			obj = new PolicyList();
-			request.setAttribute(ATTRIBUTE_POLICY_ADDITIONS, obj);
-		}
-
-		if (!(obj instanceof PolicyList)) {
-			throw new IllegalStateException("Expected to find an instance of "
-					+ PolicyList.class.getName()
-					+ " in the context, but found an instance of "
-					+ obj.getClass().getName() + " instead.");
-		}
-
-		return (PolicyList) obj;
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/RestrictHomeMenuItemEditingPolicy.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/RestrictHomeMenuItemEditingPolicy.java
deleted file mode 100644
index 3b43577548..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/RestrictHomeMenuItemEditingPolicy.java
+++ /dev/null
@@ -1,70 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy;
-
-import javax.servlet.ServletContextEvent;
-import javax.servlet.ServletContextListener;
-
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyStatementAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.dao.DisplayVocabulary;
-
-/**
- * Don't allow user to edit or drop the HomeMenuItem statement.
- */
-public class RestrictHomeMenuItemEditingPolicy implements PolicyIface {
-
-	@Override
-	public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
-			RequestedAction whatToAuth) {
-		if (whatToAuth instanceof EditObjectPropertyStatement) {
-			return isAuthorized((EditObjectPropertyStatement) whatToAuth);
-		} else if (whatToAuth instanceof DropObjectPropertyStatement) {
-			return isAuthorized((DropObjectPropertyStatement) whatToAuth);
-		} else {
-			return notHandled();
-		}
-	}
-
-	private PolicyDecision isAuthorized(
-			AbstractObjectPropertyStatementAction whatToAuth) {
-		if (whatToAuth.getPredicateUri()
-				.equals(DisplayVocabulary.HAS_ELEMENT)
-				&& whatToAuth.getObjectUri().equals(
-						DisplayVocabulary.HOME_MENU_ITEM)) {
-			return notAuthorized();
-		} else {
-			return notHandled();
-		}
-	}
-
-	private BasicPolicyDecision notHandled() {
-		return new BasicPolicyDecision(Authorization.INCONCLUSIVE,
-				"Doesn't handle this type of request");
-	}
-
-	private BasicPolicyDecision notAuthorized() {
-		return new BasicPolicyDecision(Authorization.UNAUTHORIZED,
-				"Can't edit home menu item.");
-	}
-
-	public static class Setup implements ServletContextListener {
-		@Override
-		public void contextInitialized(ServletContextEvent sce) {
-			ServletPolicyList.addPolicyAtFront(sce.getServletContext(),
-					new RestrictHomeMenuItemEditingPolicy());
-		}
-
-		@Override
-		public void contextDestroyed(ServletContextEvent ctx) {
-			// Nothing to do here.
-		}
-
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/RootUserPolicy.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/RootUserPolicy.java
deleted file mode 100644
index 816bf7d515..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/RootUserPolicy.java
+++ /dev/null
@@ -1,233 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy;
-
-import java.util.TreeSet;
-
-import javax.servlet.ServletContext;
-import javax.servlet.ServletContextEvent;
-import javax.servlet.ServletContextListener;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.IsRootUser;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
-import edu.cornell.mannlib.vitro.webapp.beans.UserAccount.Status;
-import edu.cornell.mannlib.vitro.webapp.config.ConfigurationProperties;
-import edu.cornell.mannlib.vitro.webapp.controller.authenticate.Authenticator;
-import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess;
-import edu.cornell.mannlib.vitro.webapp.dao.UserAccountsDao;
-import edu.cornell.mannlib.vitro.webapp.startup.StartupStatus;
-
-/**
- * If the user has an IsRootUser identifier, they can do anything!
- *
- * On setup, check to see that the specified root user exists. If not, create
- * it. If we can't create it, abort.
- *
- * If any other root users exist, warn about them.
- */
-public class RootUserPolicy implements PolicyIface {
-	private static final Log log = LogFactory.getLog(RootUserPolicy.class);
-
-	private static final String PROPERTY_ROOT_USER_EMAIL = "rootUser.emailAddress";
-	/*
-	 * UQAM Add-Feature For parameterization of rootUser
-	 */
-	private static final String PROPERTY_ROOT_USER_PASSWORD = "rootUser.password";
-	private static final String PROPERTY_ROOT_USER_PASSWORD_CHANGE_REQUIRED = "rootUser.passwordChangeRequired";
-
-	private static final String ROOT_USER_INITIAL_PASSWORD = "rootPassword";
-	private static final String ROOT_USER_INITIAL_PASSWORD_CHANGE_REQUIRED = "true";
-
-	/**
-	 * This is the entire policy. If you are a root user, you are authorized.
-	 */
-	@Override
-	public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
-			RequestedAction whatToAuth) {
-		if (IsRootUser.isRootUser(whoToAuth)) {
-			return new BasicPolicyDecision(Authorization.AUTHORIZED,
-					"RootUserPolicy: approved");
-		} else {
-			return new BasicPolicyDecision(Authorization.INCONCLUSIVE,
-					"not root user");
-		}
-	}
-
-	@Override
-	public String toString() {
-		return "RootUserPolicy - " + hashCode();
-	}
-
-	// ----------------------------------------------------------------------
-	// Setup class
-	// ----------------------------------------------------------------------
-
-	public static class Setup implements ServletContextListener {
-		private ServletContext ctx;
-		private StartupStatus ss;
-		private UserAccountsDao uaDao;
-		private ConfigurationProperties cp;
-		private String configuredRootUser;
-		private boolean configuredRootUserExists;
-		private TreeSet<String> otherRootUsers;
-
-		@Override
-		public void contextInitialized(ServletContextEvent sce) {
-			ctx = sce.getServletContext();
-			ss = StartupStatus.getBean(ctx);
-			cp = ConfigurationProperties.getBean(ctx);
-
-			try {
-				uaDao = ModelAccess.on(ctx).getWebappDaoFactory()
-						.getUserAccountsDao();
-				configuredRootUser = getRootEmailFromConfig();
-
-				otherRootUsers = getEmailsOfAllRootUsers();
-				configuredRootUserExists = otherRootUsers
-						.remove(configuredRootUser);
-
-				if (configuredRootUserExists) {
-					if (otherRootUsers.isEmpty()) {
-						informThatRootUserExists();
-					} else {
-						complainAboutMultipleRootUsers();
-					}
-				} else {
-					createRootUser();
-					if (!otherRootUsers.isEmpty()) {
-						complainAboutWrongRootUsers();
-					}
-				}
-
-				ServletPolicyList.addPolicy(ctx, new RootUserPolicy());
-			} catch (Exception e) {
-				ss.fatal(this, "Failed to set up the RootUserPolicy", e);
-			}
-		}
-
-		private String getRootEmailFromConfig() {
-			String email = ConfigurationProperties.getBean(ctx).getProperty(
-					PROPERTY_ROOT_USER_EMAIL);
-			if (email == null) {
-				throw new IllegalStateException(
-						"runtime.properties must contain a value for '"
-								+ PROPERTY_ROOT_USER_EMAIL + "'");
-			} else {
-				return email;
-			}
-		}
-
-		private TreeSet<String> getEmailsOfAllRootUsers() {
-			TreeSet<String> rootUsers = new TreeSet<String>();
-			for (UserAccount ua : uaDao.getAllUserAccounts()) {
-				if (ua.isRootUser()) {
-					rootUsers.add(ua.getEmailAddress());
-				}
-			}
-			return rootUsers;
-		}
-
-		/**
-		 * TODO The first and last name should be left blank, so the user will
-		 * be forced to edit them. However, that's not in place yet.
-		 */
-		private void createRootUser() {
-			if (!Authenticator.isValidEmailAddress(configuredRootUser)) {
-				throw new IllegalStateException("Value for '"
-						+ PROPERTY_ROOT_USER_EMAIL
-						+ "' is not a valid email address: '"
-						+ configuredRootUser + "'");
-			}
-
-			if (null != uaDao.getUserAccountByEmail(configuredRootUser)) {
-				throw new IllegalStateException("Can't create root user - "
-						+ "an account already exists with email address '"
-						+ configuredRootUser + "'");
-			}
-
-			UserAccount ua = new UserAccount();
-			ua.setEmailAddress(configuredRootUser);
-			ua.setFirstName("root");
-			ua.setLastName("user");
-			// UQAM Add-Feature using getRootPasswordFromConfig()
-			ua.setArgon2Password(Authenticator.applyArgon2iEncoding(
-					getRootPasswordFromConfig()));
-			ua.setMd5Password("");
-			// UQAM Add-Feature using getRootPasswdChangeRequiredFromConfig()
-			ua.setPasswordChangeRequired(getRootPasswdChangeRequiredFromConfig().booleanValue());
-			ua.setStatus(Status.ACTIVE);
-			ua.setRootUser(true);
-
-			uaDao.insertUserAccount(ua);
-
-			StartupStatus.getBean(ctx).info(this,
-					"Created root user '" + configuredRootUser + "'");
-		}
-
-		private void informThatRootUserExists() {
-			ss.info(this, "Root user is " + configuredRootUser);
-		}
-
-		private void complainAboutMultipleRootUsers() {
-			for (String other : otherRootUsers) {
-				ss.warning(this, "runtime.properties specifies '"
-						+ configuredRootUser + "' as the value for '"
-						+ PROPERTY_ROOT_USER_EMAIL
-						+ "', but the system also contains this root user: "
-						+ other);
-			}
-			ss.warning(this, "For security, "
-					+ "it is best to delete unneeded root user accounts.");
-		}
-
-		private void complainAboutWrongRootUsers() {
-			for (String other : otherRootUsers) {
-				ss.warning(this, "runtime.properties specifies '"
-						+ configuredRootUser + "' as the value for '"
-						+ PROPERTY_ROOT_USER_EMAIL
-						+ "', but the system contains this root user instead: "
-						+ other);
-			}
-			ss.warning(this, "Creating root user '" + configuredRootUser + "'");
-			ss.warning(this, "For security, "
-					+ "it is best to delete unneeded root user accounts.");
-		}
-		/*
-		 * UQAM Add-Feature
-		 * Add for getting rootUser.password property value from runtime.properties
-		 */
-		private String getRootPasswordFromConfig() {
-			String passwd = ConfigurationProperties.getBean(ctx).getProperty(
-					PROPERTY_ROOT_USER_PASSWORD);
-			if (passwd == null) {
-				passwd = ROOT_USER_INITIAL_PASSWORD;
-			}
-			return passwd;
-		}
-
-		/*
-		 * UQAM Add-Feature
-		 * Add for getting rootUser.passwordChangeRequired  property value  from runtime.properties
-		 */
-		private Boolean getRootPasswdChangeRequiredFromConfig() {
-			String passwdCR = ConfigurationProperties.getBean(ctx).getProperty(
-					PROPERTY_ROOT_USER_PASSWORD_CHANGE_REQUIRED);
-			if (passwdCR == null) {
-				passwdCR = ROOT_USER_INITIAL_PASSWORD_CHANGE_REQUIRED;
-			}
-			return new Boolean(passwdCR);
-		}
-		@Override
-		public void contextDestroyed(ServletContextEvent sce) {
-			// Nothing to destroy
-		}
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SelfEditingPolicy.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SelfEditingPolicy.java
deleted file mode 100644
index ab43736a74..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SelfEditingPolicy.java
+++ /dev/null
@@ -1,161 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.servlet.ServletContext;
-
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasAssociatedIndividual;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractDataPropertyStatementAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyStatementAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AbstractResourceAction;
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-
-/**
- * Policy to use for Vivo Self-Editing based on NetId for use at Cornell. All
- * methods in this class should be thread safe and side effect free.
- */
-public class SelfEditingPolicy extends BaseSelfEditingPolicy implements
-		PolicyIface {
-	public SelfEditingPolicy(ServletContext ctx) {
-		super(ctx, RoleLevel.SELF);
-	}
-
-	@Override
-	public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
-			RequestedAction whatToAuth) {
-		if (whoToAuth == null) {
-			return inconclusiveDecision("whoToAuth was null");
-		}
-		if (whatToAuth == null) {
-			return inconclusiveDecision("whatToAuth was null");
-		}
-
-		List<String> userUris = new ArrayList<String>(
-				HasAssociatedIndividual.getIndividualUris(whoToAuth));
-
-		if (userUris.isEmpty()) {
-			return inconclusiveDecision("Not self-editing.");
-		}
-
-		if (whatToAuth instanceof AbstractObjectPropertyStatementAction) {
-			return isAuthorizedForObjectPropertyAction(userUris,
-					(AbstractObjectPropertyStatementAction) whatToAuth);
-		}
-
-		if (whatToAuth instanceof AbstractDataPropertyStatementAction) {
-			return isAuthorizedForDataPropertyAction(userUris,
-					(AbstractDataPropertyStatementAction) whatToAuth);
-		}
-
-		if (whatToAuth instanceof AbstractResourceAction) {
-			return isAuthorizedForResourceAction((AbstractResourceAction) whatToAuth);
-		}
-
-		return inconclusiveDecision("Does not authorize "
-				+ whatToAuth.getClass().getSimpleName() + " actions");
-	}
-
-	/**
-	 * The user can edit a object property if it is not restricted and if it is
-	 * about him.
-	 */
-	private PolicyDecision isAuthorizedForObjectPropertyAction(
-			List<String> userUris, AbstractObjectPropertyStatementAction action) {
-		String subject = action.getSubjectUri();
-		Property predicate = action.getPredicate();
-		String object = action.getObjectUri();
-
-		if (!canModifyResource(subject)) {
-			return cantModifyResource(subject);
-		}
-		if (!canModifyPredicate(predicate)) {
-			return cantModifyPredicate(predicate);
-		}
-		if (!canModifyResource(object)) {
-			return cantModifyResource(object);
-		}
-
-		if (userCanEditAsSubjectOrObjectOfStmt(userUris, subject, object)) {
-			return authorizedDecision("User is subject or object of statement.");
-		} else {
-			return userNotAuthorizedToStatement();
-		}
-	}
-
-	/**
-	 * The user can edit a data property if it is not restricted and if it is
-	 * about him.
-	 */
-	private PolicyDecision isAuthorizedForDataPropertyAction(
-			List<String> userUris, AbstractDataPropertyStatementAction action) {
-		String subject = action.getSubjectUri();
-		Property predicate = action.getPredicate();
-
-		if (!canModifyResource(subject)) {
-			return cantModifyResource(subject);
-		}
-		if (!canModifyPredicate(predicate)) {
-			return cantModifyPredicate(predicate);
-		}
-
-		if (userCanEditAsSubjectOfStmt(userUris, subject)) {
-			return authorizedDecision("User is subject of statement.");
-		} else {
-			return userNotAuthorizedToStatement();
-		}
-	}
-
-	/**
-	 * The user can add or remove resources if they are not restricted.
-	 */
-	private PolicyDecision isAuthorizedForResourceAction(
-			AbstractResourceAction action) {
-		String uri = action.getSubjectUri();
-		if (!canModifyResource(uri)) {
-			return cantModifyResource(uri);
-		} else {
-			return authorizedDecision("May add/remove resource.");
-		}
-	}
-
-	// ----------------------------------------------------------------------
-	// Helper methods
-	// ----------------------------------------------------------------------
-
-	private boolean userCanEditAsSubjectOfStmt(List<String> userUris,
-			String subject) {
-		for (String userUri : userUris) {
-			if (userUri.equals(subject)) {
-				return true;
-			}
-		}
-		return false;
-	}
-
-	private boolean userCanEditAsSubjectOrObjectOfStmt(List<String> userUris,
-			String subject, String object) {
-		for (String userUri : userUris) {
-			if (userUri.equals(subject)) {
-				return true;
-			}
-			if (userUri.equals(object)) {
-				return true;
-			}
-		}
-		return false;
-	}
-
-	@Override
-	public String toString() {
-		return "SelfEditingPolicy - " + hashCode();
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ServletPolicyList.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ServletPolicyList.java
deleted file mode 100644
index f724a50390..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ServletPolicyList.java
+++ /dev/null
@@ -1,122 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy;
-
-import java.util.ListIterator;
-
-import javax.servlet.ServletContext;
-import javax.servlet.http.HttpServletRequest;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
-
-/**
- * This maintains a PolicyList in the ServletContext. As a rule, however, this
- * is only used as the basis for the RequestPolicyList. Client code that wants
- * to access the current list of policies should look there.
- */
-public class ServletPolicyList {
-	private static final String ATTRIBUTE_POLICY_LIST = ServletPolicyList.class.getName();
-	private static final Log log = LogFactory.getLog(ServletPolicyList.class);
-
-	/**
-	 * Get a copy of the current list of policies. This method may return an
-	 * empty list, but it never returns null.
-	 */
-	public static PolicyIface getPolicies(HttpServletRequest hreq) {
-		return getPolicies(hreq.getSession().getServletContext());
-	}
-
-	/**
-	 * Get a copy of the current list of policies. This method may return an
-	 * empty list, but it never returns null.
-	 */
-	public static PolicyList getPolicies(ServletContext sc) {
-		return new PolicyList(getPolicyList(sc));
-	}
-
-	/**
-	 * Add the policy to the end of the list.
-	 */
-	public static void addPolicy(ServletContext sc, PolicyIface policy) {
-		if (policy == null) {
-			return;
-		}
-
-		PolicyList policies = getPolicyList(sc);
-		if (!policies.contains(policy)) {
-			policies.add(policy);
-			log.debug("Added policy: " + policy.toString());
-		} else {
-			log.warn("Ignored attempt to add redundant policy.");
-		}
-	}
-
-	/**
-	 * Add the policy to the front of the list. It may be moved further down the
-	 * list by other policies that are later added using this method.
-	 */
-	public static void addPolicyAtFront(ServletContext sc, PolicyIface policy) {
-		if (policy == null) {
-			return;
-		}
-
-		PolicyList policies = getPolicyList(sc);
-		if (!policies.contains(policy)) {
-			policies.add(0, policy);
-			log.debug("Added policy at front: " + policy.toString());
-		} else {
-			log.warn("Ignored attempt to add redundant policy.");
-		}
-	}
-
-	/**
-	 * Replace the first instance of this class of policy in the list. If no
-	 * instance is found, add the policy to the end of the list.
-	 */
-	public static void replacePolicy(ServletContext sc, PolicyIface policy) {
-		if (policy == null) {
-			return;
-		}
-
-		Class<?> clzz = policy.getClass();
-		PolicyList policies = getPolicyList(sc);
-		ListIterator<PolicyIface> it = policies.listIterator();
-		while (it.hasNext()) {
-			if (clzz.isAssignableFrom(it.next().getClass())) {
-				it.set(policy);
-				return;
-			}
-		}
-
-		addPolicy(sc, policy);
-	}
-
-	/**
-	 * Get the current PolicyList from the context, or create one if there is
-	 * none. This method may return an empty list, but it never returns null.
-	 */
-	private static PolicyList getPolicyList(ServletContext ctx) {
-		if (ctx == null) {
-			throw new NullPointerException("ctx may not be null.");
-		}
-
-		Object obj = ctx.getAttribute(ATTRIBUTE_POLICY_LIST);
-		if (obj == null) {
-			obj = new PolicyList();
-			ctx.setAttribute(ATTRIBUTE_POLICY_LIST, obj);
-		}
-
-		if (!(obj instanceof PolicyList)) {
-			throw new IllegalStateException("Expected to find an instance of "
-					+ PolicyList.class.getName()
-					+ " in the context, but found an instance of "
-					+ obj.getClass().getName() + " instead.");
-		}
-
-		return (PolicyList) obj;
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionBean.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionBean.java
deleted file mode 100644
index 51c113ee5d..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionBean.java
+++ /dev/null
@@ -1,207 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy.bean;
-
-import java.util.Arrays;
-import java.util.Collection;
-
-import javax.servlet.ServletContext;
-import javax.servlet.ServletContextEvent;
-import javax.servlet.ServletContextListener;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
-import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess;
-import edu.cornell.mannlib.vitro.webapp.startup.StartupStatus;
-
-/**
- * Assists the role-based policies in determining whether a property or resource
- * may be displayed, modified, or published in linked open data.
- *
- * There is a singleton bean that holds the current threshold role levels for
- * displaying, modifying, or publishing restricted properties.
- *
- * Create this bean after the context models are in place.
- *
- * Add PropertyRestrictionListener to your EditProcessObject if you are editing
- * a property, to ensure that the bean stays current.
- */
-public abstract class PropertyRestrictionBean {
-	private static final Log log = LogFactory
-			.getLog(PropertyRestrictionBean.class);
-
-	private static final PropertyRestrictionBean NULL = new PropertyRestrictionBeanNull();
-
-	protected static volatile PropertyRestrictionBean instance = NULL;
-
-	protected static final Collection<String> PROHIBITED_NAMESPACES = Arrays
-			.asList(new String[] { VitroVocabulary.vitroURI, "" });
-
-	protected static final Collection<String> PERMITTED_EXCEPTIONS = Arrays
-			.asList(new String[] { VitroVocabulary.MONIKER,
-					VitroVocabulary.MODTIME, VitroVocabulary.IND_MAIN_IMAGE,
-					VitroVocabulary.LINK, VitroVocabulary.PRIMARY_LINK,
-					VitroVocabulary.ADDITIONAL_LINK,
-					VitroVocabulary.LINK_ANCHOR, VitroVocabulary.LINK_URL });
-
-	// ----------------------------------------------------------------------
-	// static methods
-	// ----------------------------------------------------------------------
-
-	public static PropertyRestrictionBean getBean() {
-		return instance;
-	}
-
-	// ----------------------------------------------------------------------
-	// instance methods
-	// ----------------------------------------------------------------------
-
-	/**
-	 * Any resource can be displayed.
-	 *
-	 * (Someday we may want to implement display restrictions based on VClass.)
-	 */
-	public abstract boolean canDisplayResource(String resourceUri,
-			RoleLevel userRole);
-
-	/**
-	 * A resource cannot be modified if its namespace is in the prohibited list
-	 * (but some exceptions are allowed).
-	 *
-	 * (Someday we may want to implement modify restrictions based on VClass.)
-	 */
-	public abstract boolean canModifyResource(String resourceUri,
-			RoleLevel userRole);
-
-	/**
-	 * Any resource can be published.
-	 *
-	 * (Someday we may want to implement publish restrictions based on VClass.)
-	 */
-	public abstract boolean canPublishResource(String resourceUri,
-			RoleLevel userRole);
-
-	/**
-	 * If display of a predicate is restricted, the user's role must be at least
-	 * as high as the restriction level.
-	 */
-	public abstract boolean canDisplayPredicate(Property predicate,
-			RoleLevel userRole);
-
-	/**
-	 * A predicate cannot be modified if its namespace is in the prohibited list
-	 * (some exceptions are allowed).
-	 *
-	 * If modification of a predicate is restricted, the user's role must be at
-	 * least as high as the restriction level.
-	 */
-	public abstract boolean canModifyPredicate(Property predicate,
-			RoleLevel userRole);
-
-	/**
-	 * If publishing of a predicate is restricted, the user's role must be at
-	 * least as high as the restriction level.
-	 */
-	public abstract boolean canPublishPredicate(Property predicate,
-			RoleLevel userRole);
-
-	/**
-	 * The threshold values for this property may have changed.
-	 */
-	public abstract void updateProperty(PropertyRestrictionLevels levels);
-
-	// ----------------------------------------------------------------------
-	// The null implementation
-	// ----------------------------------------------------------------------
-
-	/**
-	 * A placeholder for when the bean instance is not set.
-	 */
-	private static class PropertyRestrictionBeanNull extends
-			PropertyRestrictionBean {
-		@Override
-		public boolean canDisplayResource(String resourceUri, RoleLevel userRole) {
-			warn();
-			return false;
-		}
-
-		@Override
-		public boolean canModifyResource(String resourceUri, RoleLevel userRole) {
-			warn();
-			return false;
-		}
-
-		@Override
-		public boolean canPublishResource(String resourceUri, RoleLevel userRole) {
-			warn();
-			return false;
-		}
-
-		@Override
-		public boolean canDisplayPredicate(Property predicate,
-				RoleLevel userRole) {
-			warn();
-			return false;
-		}
-
-		@Override
-		public boolean canModifyPredicate(Property predicate, RoleLevel userRole) {
-			warn();
-			return false;
-		}
-
-		@Override
-		public boolean canPublishPredicate(Property predicate,
-				RoleLevel userRole) {
-			warn();
-			return false;
-		}
-
-		@Override
-		public void updateProperty(PropertyRestrictionLevels levels) {
-			warn();
-		}
-
-		private void warn() {
-			try {
-				throw new IllegalStateException();
-			} catch (IllegalStateException e) {
-				log.warn("No PropertyRestrictionBean in place.", e);
-			}
-		}
-	}
-
-	// ----------------------------------------------------------------------
-	// Setup class
-	// ----------------------------------------------------------------------
-
-	/**
-	 * Create the bean at startup and remove it at shutdown.
-	 */
-	public static class Setup implements ServletContextListener {
-		@Override
-		public void contextInitialized(ServletContextEvent sce) {
-			ServletContext ctx = sce.getServletContext();
-			StartupStatus ss = StartupStatus.getBean(ctx);
-
-			try {
-				instance = new PropertyRestrictionBeanImpl(
-						PROHIBITED_NAMESPACES, PERMITTED_EXCEPTIONS,
-						ModelAccess.on(ctx));
-			} catch (Exception e) {
-				ss.fatal(this,
-						"could not set up PropertyRestrictionBean", e);
-			}
-		}
-
-		@Override
-		public void contextDestroyed(ServletContextEvent sce) {
-			instance = NULL;
-		}
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionBeanImpl.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionBeanImpl.java
deleted file mode 100644
index 7676396dcd..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionBeanImpl.java
+++ /dev/null
@@ -1,247 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy.bean;
-
-import static edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionLevels.Which.DISPLAY;
-import static edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionLevels.Which.MODIFY;
-import static edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionLevels.Which.PUBLISH;
-
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Comparator;
-import java.util.Map;
-import java.util.Objects;
-import java.util.Set;
-import java.util.SortedSet;
-import java.util.TreeSet;
-import java.util.concurrent.ConcurrentHashMap;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import org.apache.jena.rdf.model.impl.Util;
-
-import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionLevels.Which;
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
-import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
-import edu.cornell.mannlib.vitro.webapp.beans.FauxProperty;
-import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-import edu.cornell.mannlib.vitro.webapp.dao.PropertyDao.FullPropertyKey;
-import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
-import edu.cornell.mannlib.vitro.webapp.modelaccess.ContextModelAccess;
-
-/**
- * On creation, populate a map of PropertyRestrictionLevels.
- *
- * When a change is detected, update the map accordingly.
- *
- * ------------------------------
- *
- * How is authorization determined?
- *
- * Resources are easy. If they aren't in a prohibited namespace, or are an
- * exception to the prohibition, they are accessible.
- *
- * Properties are harder. The prohibited namespace and exceptions still apply,
- * but if we pass that test, then we check the threshold map.
- *
- * When a test is made, we look for thresholds in the map. First we look for the
- * full key of domain-base-range, in case we are testing a faux property. Faux
- * properties are recorded in the map with the full key.
- *
- * If we don't find the full key, then perhaps we are testing a faux property
- * that has no settings, or perhaps we are testing an object property. We look
- * for the partial key of null-base-null, which covers both of these cases,
- * since object properties (and data properties) are recorded the map with a
- * partial key.
- *
- * Similarly, if we find a null threshold value in the full key, we look back to
- * the partial key for a threshold.
- *
- * If we find no non-null threshold value then the property is unrestricted for
- * that feature.
- *
- * -----------------------------
- *
- * It would perhaps be a silly optimization, but if we find a key with 3 null
- * thresholds, we could remove it from the map without changing the behavior.
- */
-public class PropertyRestrictionBeanImpl extends PropertyRestrictionBean {
-	private static final Log log = LogFactory
-			.getLog(PropertyRestrictionBeanImpl.class);
-
-	private final Set<String> prohibitedNamespaces;
-	private final Set<String> permittedExceptions;
-
-	private final Map<FullPropertyKey, PropertyRestrictionLevels> thresholdMap = new ConcurrentHashMap<>();
-
-	public PropertyRestrictionBeanImpl(Collection<String> prohibitedNamespaces,
-			Collection<String> permittedExceptions, ContextModelAccess models) {
-		Objects.requireNonNull(prohibitedNamespaces,
-				"prohibitedNamespaces may not be null.");
-		this.prohibitedNamespaces = Collections.unmodifiableSet(new TreeSet<>(
-				prohibitedNamespaces));
-
-		Objects.requireNonNull(permittedExceptions,
-				"permittedExceptions may not be null.");
-		this.permittedExceptions = Collections.unmodifiableSet(new TreeSet<>(
-				permittedExceptions));
-
-		Objects.requireNonNull(models, "models may not be null.");
-		populateThresholdMap(models.getWebappDaoFactory());
-	}
-
-	private void populateThresholdMap(WebappDaoFactory wadf) {
-		for (ObjectProperty oProp : wadf.getObjectPropertyDao()
-				.getAllObjectProperties()) {
-			addObjectPropertyToMap(oProp);
-			for (FauxProperty fProp : wadf.getFauxPropertyDao()
-					.getFauxPropertiesForBaseUri(oProp.getURI())) {
-				addFauxPropertyToMap(fProp);
-			}
-		}
-		for (DataProperty dProp : wadf.getDataPropertyDao()
-				.getAllDataProperties()) {
-			addDataPropertyToMap(dProp);
-		}
-	}
-
-	private void addObjectPropertyToMap(ObjectProperty oProp) {
-		FullPropertyKey key = new FullPropertyKey(oProp.getURI());
-		PropertyRestrictionLevels levels = new PropertyRestrictionLevels(key,
-				oProp.getHiddenFromDisplayBelowRoleLevel(),
-				oProp.getProhibitedFromUpdateBelowRoleLevel(),
-				oProp.getHiddenFromPublishBelowRoleLevel());
-		thresholdMap.put(key, levels);
-	}
-
-	private void addFauxPropertyToMap(FauxProperty fProp) {
-		FullPropertyKey key = new FullPropertyKey(fProp.getDomainURI(),
-				fProp.getBaseURI(), fProp.getRangeURI());
-		PropertyRestrictionLevels levels = new PropertyRestrictionLevels(key,
-				fProp.getHiddenFromDisplayBelowRoleLevel(),
-				fProp.getProhibitedFromUpdateBelowRoleLevel(),
-				fProp.getHiddenFromPublishBelowRoleLevel());
-		thresholdMap.put(key, levels);
-	}
-
-	private void addDataPropertyToMap(DataProperty dProp) {
-		FullPropertyKey key = new FullPropertyKey(dProp.getURI());
-		PropertyRestrictionLevels levels = new PropertyRestrictionLevels(key,
-				dProp.getHiddenFromDisplayBelowRoleLevel(),
-				dProp.getProhibitedFromUpdateBelowRoleLevel(),
-				dProp.getHiddenFromPublishBelowRoleLevel());
-		thresholdMap.put(key, levels);
-	}
-
-	@Override
-	public boolean canDisplayResource(String resourceUri, RoleLevel userRole) {
-		return (resourceUri != null) && (userRole != null);
-	}
-
-	@Override
-	public boolean canModifyResource(String resourceUri, RoleLevel userRole) {
-		if (resourceUri == null || userRole == null) {
-			return false;
-		}
-		return !prohibitedNamespaces.contains(namespace(resourceUri))
-				|| permittedExceptions.contains(resourceUri);
-	}
-
-	@Override
-	public boolean canPublishResource(String resourceUri, RoleLevel userRole) {
-		return (resourceUri != null) && (userRole != null);
-	}
-
-	@Override
-	public boolean canDisplayPredicate(Property predicate, RoleLevel userRole) {
-		if (predicate == null || predicate.getURI() == null) {
-			return false;
-		}
-		return isAuthorized(userRole, getThreshold(predicate, DISPLAY));
-	}
-
-	@Override
-	public boolean canModifyPredicate(Property predicate, RoleLevel userRole) {
-		if (predicate == null || predicate.getURI() == null) {
-			return false;
-		}
-		return isAuthorized(userRole, getPropertyModifyThreshold(predicate));
-	}
-
-	@Override
-	public boolean canPublishPredicate(Property predicate, RoleLevel userRole) {
-		if (predicate == null || predicate.getURI() == null) {
-			return false;
-		}
-		return isAuthorized(userRole, getThreshold(predicate, PUBLISH));
-	}
-
-	@Override
-	public void updateProperty(PropertyRestrictionLevels levels) {
-		thresholdMap.put(levels.getKey(), levels);
-	}
-
-	private boolean isAuthorized(RoleLevel userRole, RoleLevel thresholdRole) {
-		if (userRole == null) {
-			return false;
-		}
-		if (thresholdRole == null) {
-			return true;
-		}
-		return userRole.compareTo(thresholdRole) >= 0;
-	}
-
-	private RoleLevel getPropertyModifyThreshold(Property p) {
-		if (prohibitedNamespaces.contains(namespace(p.getURI()))
-				&& !permittedExceptions.contains(p.getURI())) {
-			return RoleLevel.NOBODY;
-		}
-		return getThreshold(p, MODIFY);
-	}
-
-	private RoleLevel getThreshold(Property p, Which which) {
-		RoleLevel qualifiedLevel = getThreshold(new FullPropertyKey(p), which);
-		if (qualifiedLevel != null) {
-			return qualifiedLevel;
-		}
-
-		RoleLevel bareLevel = getThreshold(new FullPropertyKey(p.getURI()),
-				which);
-		return bareLevel;
-	}
-
-	private RoleLevel getThreshold(FullPropertyKey key, Which which) {
-		PropertyRestrictionLevels levels = thresholdMap.get(key);
-		if (levels == null) {
-			return null;
-		} else {
-			return levels.getLevel(which);
-		}
-	}
-
-	private String namespace(String uri) {
-		return uri.substring(0, Util.splitNamespaceXML(uri));
-	}
-
-	@Override
-	public String toString() {
-		SortedSet<FullPropertyKey> keys = new TreeSet<>(
-				new Comparator<FullPropertyKey>() {
-					@Override
-					public int compare(FullPropertyKey o1, FullPropertyKey o2) {
-						return o1.toString().compareTo(o2.toString());
-					}
-				});
-		keys.addAll(thresholdMap.keySet());
-
-		StringBuilder buffer = new StringBuilder();
-		for (FullPropertyKey key : keys) {
-			buffer.append(key).append(" ").append(thresholdMap.get(key).getLevel(DISPLAY)).append(" ").append(thresholdMap.get(key).getLevel(MODIFY)).append(" ").append(thresholdMap.get(key).getLevel(PUBLISH)).append("\n");
-		}
-		return buffer.toString();
-
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionLevels.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionLevels.java
deleted file mode 100644
index 369c074705..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionLevels.java
+++ /dev/null
@@ -1,68 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy.bean;
-
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
-import edu.cornell.mannlib.vitro.webapp.dao.PropertyDao.FullPropertyKey;
-
-/**
- * The threshold levels for operations on a given property.
- *
- * This is based on the assumption that the FullPropertyKey is sufficient to
- * distinguish all properties. An object property and a data property may not
- * share the same key. A faux property must have a different key from any object
- * property.
- */
-public class PropertyRestrictionLevels {
-	private final FullPropertyKey key;
-	private final RoleLevel displayThreshold;
-	private final RoleLevel modifyThreshold;
-	private final RoleLevel publishThreshold;
-
-	public enum Which {
-		DISPLAY, MODIFY, PUBLISH
-	}
-
-	public PropertyRestrictionLevels(FullPropertyKey key,
-			RoleRestrictedProperty p) {
-		this(key, p.getHiddenFromDisplayBelowRoleLevel(), p
-				.getProhibitedFromUpdateBelowRoleLevel(), p
-				.getHiddenFromPublishBelowRoleLevel());
-	}
-
-	public PropertyRestrictionLevels(FullPropertyKey key,
-			RoleLevel displayThreshold, RoleLevel modifyThreshold,
-			RoleLevel publishThreshold) {
-		this.key = key;
-		this.displayThreshold = displayThreshold;
-		this.modifyThreshold = modifyThreshold;
-		this.publishThreshold = publishThreshold;
-	}
-
-	public FullPropertyKey getKey() {
-		return key;
-	}
-
-	public RoleLevel getLevel(Which which) {
-		if (which == null) {
-			return null;
-		} else {
-			switch (which) {
-			case DISPLAY:
-				return displayThreshold;
-			case MODIFY:
-				return modifyThreshold;
-			default:
-				return publishThreshold;
-			}
-		}
-	}
-
-	@Override
-	public String toString() {
-		return "PropertyRestrictionLevels[key=" + key + ", display="
-				+ displayThreshold + ", modify=" + modifyThreshold
-				+ ", publish=" + publishThreshold + "]";
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionListener.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionListener.java
index d632703fac..19862e2cd4 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionListener.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionListener.java
@@ -2,12 +2,13 @@
 
 package edu.cornell.mannlib.vitro.webapp.auth.policy.bean;
 
+import edu.cornell.mannlib.vitro.webapp.auth.policy.EntityPolicyController;
+import edu.cornell.mannlib.vitro.webapp.beans.Property;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 import edu.cornell.mannlib.vedit.beans.EditProcessObject;
 import edu.cornell.mannlib.vedit.listener.ChangeListener;
-import edu.cornell.mannlib.vitro.webapp.dao.PropertyDao.FullPropertyKey;
 
 /**
  * Add this ChangeListener to your EditProcessObject when modifying the
@@ -15,20 +16,17 @@
  * appropriate.
  */
 public class PropertyRestrictionListener implements ChangeListener {
-	private static final Log log = LogFactory
-			.getLog(PropertyRestrictionListener.class);
+	private static final Log log = LogFactory.getLog(PropertyRestrictionListener.class);
 
 	/**
 	 * If the deleted property had a non-null restriction, rebuild the bean.
 	 */
 	@Override
 	public void doDeleted(Object oldObj, EditProcessObject epo) {
-		if (oldObj instanceof RoleRestrictedProperty) {
-			RoleRestrictedProperty p = (RoleRestrictedProperty) oldObj;
-			FullPropertyKey key = new FullPropertyKey(p);
-			updateLevels(new PropertyRestrictionLevels(key, p));
+		if (oldObj instanceof Property) {
+		    EntityPolicyController.deletedEntityEvent((Property)oldObj);
 		} else {
-			log.warn("Not an instance of RoleRestrictedProperty: " + oldObj);
+			log.warn("Not an instance of Property: " + oldObj);
 		}
 	}
 
@@ -37,12 +35,10 @@ public void doDeleted(Object oldObj, EditProcessObject epo) {
 	 */
 	@Override
 	public void doInserted(Object newObj, EditProcessObject epo) {
-		if (newObj instanceof RoleRestrictedProperty) {
-			RoleRestrictedProperty p = (RoleRestrictedProperty) newObj;
-			FullPropertyKey key = new FullPropertyKey(p);
-			updateLevels(new PropertyRestrictionLevels(key, p));
+		if (newObj instanceof Property) {
+	        EntityPolicyController.insertedEntityEvent((Property)newObj);
 		} else {
-			log.warn("Not an instance of RoleRestrictedProperty: " + newObj);
+			log.warn("Not an instance of Property: " + newObj);
 		}
 	}
 
@@ -51,17 +47,12 @@ public void doInserted(Object newObj, EditProcessObject epo) {
 	 */
 	@Override
 	public void doUpdated(Object oldObj, Object newObj, EditProcessObject epo) {
-		if (newObj instanceof RoleRestrictedProperty) {
-			RoleRestrictedProperty newP = (RoleRestrictedProperty) newObj;
-			FullPropertyKey key = new FullPropertyKey(newP);
-			updateLevels(new PropertyRestrictionLevels(key, newP));
+		if (newObj instanceof Property) {
+	        EntityPolicyController.updatedEntityEvent(oldObj, newObj);
+
 		} else {
-			log.warn("Not instances of RoleRestrictedProperty: " + oldObj
+			log.warn("Not instances of Property: " + oldObj
 					+ ", " + newObj);
 		}
 	}
-
-	private void updateLevels(PropertyRestrictionLevels levels) {
-		PropertyRestrictionBean.getBean().updateProperty(levels);
-	}
 }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/RoleRestrictedProperty.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/RoleRestrictedProperty.java
deleted file mode 100644
index 7219bbf4bd..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/RoleRestrictedProperty.java
+++ /dev/null
@@ -1,23 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy.bean;
-
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
-
-/**
- * A property or faux property whose usage can be restricted according to the
- * user's role level.
- */
-public interface RoleRestrictedProperty {
-	String getDomainVClassURI();
-
-	String getRangeVClassURI();
-
-	String getURI();
-
-	RoleLevel getHiddenFromDisplayBelowRoleLevel();
-
-	RoleLevel getProhibitedFromUpdateBelowRoleLevel();
-
-	RoleLevel getHiddenFromPublishBelowRoleLevel();
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ifaces/Authorization.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ifaces/DecisionResult.java
similarity index 89%
rename from api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ifaces/Authorization.java
rename to api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ifaces/DecisionResult.java
index 367a5a2acb..b5eaae3875 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ifaces/Authorization.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ifaces/DecisionResult.java
@@ -2,7 +2,7 @@
 
 package edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces;
 
-public enum Authorization {
+public enum DecisionResult {
     AUTHORIZED, //explicitly authorized
     UNAUTHORIZED, //explicitly not authorized
     INCONCLUSIVE;
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ifaces/Policy.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ifaces/Policy.java
new file mode 100644
index 0000000000..159bf85455
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ifaces/Policy.java
@@ -0,0 +1,29 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces;
+
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
+
+/**
+ * Represents the process of mapping an identifier that represents a user or principle and a action they are requesting
+ * to true, representing authorized or false, representing unauthorized.
+ *
+ * @author bdc34
+ *
+ */
+public interface Policy {
+
+    PolicyDecision decide(AuthorizationRequest ar);
+
+    default String getUri() {
+        return "";
+    }
+
+    default long getPriority() {
+        return 0;
+    }
+
+    default String getShortUri() {
+        return "";
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ifaces/PolicyDecision.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ifaces/PolicyDecision.java
index c174776c1b..c7a93fbed6 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ifaces/PolicyDecision.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ifaces/PolicyDecision.java
@@ -3,14 +3,17 @@
 package edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces;
 
 /**
- * Object to represent a decision from a policy.  The intent is
- * that the message would be presented to users to indicate why
- * they are not authorized for some action.
+ * Object to represent a decision from a policy. The intent is that the message would be presented to users to indicate
+ * why they are not authorized for some action.
  */
 public interface PolicyDecision {
-    public Authorization getAuthorized();
 
-    public String getStackTrace();
-    public String getMessage();
-    public String getDebuggingInfo();
+    DecisionResult getDecisionResult();
+
+    String getStackTrace();
+
+    String getMessage();
+
+    String getDebuggingInfo();
+
 }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ifaces/PolicyIface.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ifaces/PolicyIface.java
deleted file mode 100644
index 11a19a4ede..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ifaces/PolicyIface.java
+++ /dev/null
@@ -1,19 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces;
-
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-
-/**
- * Represents the process of mapping an identifier that represents a user or
- * principle and a action they are requesting to true, representing authorized or
- * false, representing unauthorized.
- *
- * @author bdc34
- *
- */
-public interface PolicyIface  {
-    public PolicyDecision isAuthorized(IdentifierBundle whoToAuth, RequestedAction whatToAuth);
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/CommonPolicyFamilySetup.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/CommonPolicyFamilySetup.java
index 7a57232677..bc370dc85d 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/CommonPolicyFamilySetup.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/CommonPolicyFamilySetup.java
@@ -8,17 +8,14 @@
 
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundleFactory;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.HasPermissionFactory;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.HasPermissionSetFactory;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.HasProfileOrIsBlacklistedFactory;
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.HasProfileFactory;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.HasProxyEditingRightsFactory;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.IsRootUserFactory;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.IsUserFactory;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.DisplayRestrictedDataToSelfPolicy;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.PermissionsPolicy;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.SelfEditingPolicy;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyLoader;
+import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess;
+import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess.WhichService;
 import edu.cornell.mannlib.vitro.webapp.startup.StartupStatus;
 
 /**
@@ -32,27 +29,20 @@ public void contextInitialized(ServletContextEvent sce) {
 		StartupStatus ss = StartupStatus.getBean(ctx);
 
 		try {
-			policy(ctx, new PermissionsPolicy());
-			policy(ctx, new DisplayRestrictedDataToSelfPolicy(ctx));
-			policy(ctx, new SelfEditingPolicy(ctx));
-
-			factory(ctx, new IsUserFactory(ctx));
-			factory(ctx, new IsRootUserFactory(ctx));
-			factory(ctx, new HasProfileOrIsBlacklistedFactory(ctx));
-			factory(ctx, new HasPermissionSetFactory(ctx));
-			factory(ctx, new HasPermissionFactory(ctx));
-			factory(ctx, new HasProxyEditingRightsFactory(ctx));
+		    PolicyLoader.initialize(ModelAccess.getInstance().getRDFService(WhichService.CONFIGURATION));
+		    PolicyLoader.getInstance().loadPolicies();
+			factory(new IsUserFactory());
+			factory(new IsRootUserFactory());
+			factory(new HasProfileFactory());
+			factory(new HasPermissionSetFactory());
+			factory(new HasProxyEditingRightsFactory());
 		} catch (Exception e) {
 			ss.fatal(this, "could not run CommonPolicyFamilySetup", e);
 		}
 	}
 
-	private void policy(ServletContext ctx, PolicyIface policy) {
-		ServletPolicyList.addPolicy(ctx, policy);
-	}
-
-	private void factory(ServletContext ctx, IdentifierBundleFactory factory) {
-		ActiveIdentifierBundleFactories.addFactory(ctx, factory);
+	private void factory(IdentifierBundleFactory factory) {
+		ActiveIdentifierBundleFactories.addFactory(factory);
 	}
 
 	@Override
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/specialrelationships/AbstractRelationshipPolicy.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/specialrelationships/AbstractRelationshipPolicy.java
deleted file mode 100644
index ddf88ed179..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/specialrelationships/AbstractRelationshipPolicy.java
+++ /dev/null
@@ -1,63 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy.specialrelationships;
-
-import javax.servlet.ServletContext;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import edu.cornell.mannlib.vitro.webapp.auth.policy.BasicPolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionBean;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-
-/**
- * A collection of building-block methods so we can code a policy based on the
- * relationship of the object being edited to the identity of the user doing the
- * editing.
- */
-public abstract class AbstractRelationshipPolicy implements PolicyIface {
-	private static final Log log = LogFactory
-			.getLog(AbstractRelationshipPolicy.class);
-
-	protected final ServletContext ctx;
-
-	public AbstractRelationshipPolicy(ServletContext ctx) {
-		this.ctx = ctx;
-	}
-
-	protected boolean canModifyResource(String uri) {
-		return PropertyRestrictionBean.getBean().canModifyResource(uri,
-				RoleLevel.SELF);
-	}
-
-	protected boolean canModifyPredicate(Property predicate) {
-		return PropertyRestrictionBean.getBean().canModifyPredicate(predicate,
-				RoleLevel.SELF);
-	}
-
-	protected PolicyDecision cantModifyResource(String uri) {
-		return inconclusiveDecision("No access to admin resources; cannot modify "
-				+ uri);
-	}
-
-	protected PolicyDecision cantModifyPredicate(String uri) {
-		return inconclusiveDecision("No access to admin predicates; cannot modify "
-				+ uri);
-	}
-
-	protected PolicyDecision userNotAuthorizedToStatement() {
-		return inconclusiveDecision("User has no access to this statement.");
-	}
-
-	/** An INCONCLUSIVE decision with a message like "PolicyClass: message". */
-	protected PolicyDecision inconclusiveDecision(String message) {
-		return new BasicPolicyDecision(Authorization.INCONCLUSIVE, getClass()
-				.getSimpleName() + ": " + message);
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/specialrelationships/RelationshipChecker.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/specialrelationships/RelationshipChecker.java
deleted file mode 100644
index 31625f912a..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/specialrelationships/RelationshipChecker.java
+++ /dev/null
@@ -1,205 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy.specialrelationships;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import org.apache.jena.ontology.OntModel;
-import org.apache.jena.rdf.model.Property;
-import org.apache.jena.rdf.model.RDFNode;
-import org.apache.jena.rdf.model.Resource;
-import org.apache.jena.rdf.model.Selector;
-import org.apache.jena.rdf.model.SimpleSelector;
-import org.apache.jena.rdf.model.StmtIterator;
-import org.apache.jena.shared.Lock;
-
-import edu.cornell.mannlib.vitro.webapp.auth.policy.BasicPolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
-
-/**
- * Look for relationships within an OntModel. Types of resources, links between
- * resources, and links between resources via a context node.
- *
- * Also provides some convenience methods for test lists of URIs and for
- * creating PolicyDecisions.
- */
-public class RelationshipChecker {
-	private static final Log log = LogFactory.getLog(RelationshipChecker.class);
-
-	protected static final String NS_CORE = "http://vivoweb.org/ontology/core#";
-	protected static final String NS_OBO = "http://purl.obolibrary.org/obo/";
-	protected static final String URI_RELATES = NS_CORE + "relates";
-	protected static final String URI_RELATED_BY = NS_CORE + "relatedBy";
-	protected static final String URI_INHERES_IN = NS_OBO + "RO_0000052";
-	protected static final String URI_REALIZES = NS_OBO + "BFO_0000055";
-
-	private final OntModel ontModel;
-
-	public RelationshipChecker(OntModel ontModel) {
-		this.ontModel = ontModel;
-	}
-
-	/**
-	 * Are there any URIs that appear in both of these lists?
-	 */
-	public boolean anyUrisInCommon(List<String> list1, List<String> list2) {
-		List<String> urisInCommon = new ArrayList<String>(list1);
-		urisInCommon.retainAll(list2);
-		return !urisInCommon.isEmpty();
-	}
-
-	/**
-	 * Is this resource a member of this type? That is, is there an statement of
-	 * the form: {@code <resourceUri> rdfs:type <typeUri> }
-	 */
-	public boolean isResourceOfType(String resourceUri, String typeUri) {
-		Selector selector = createSelector(resourceUri,
-				VitroVocabulary.RDF_TYPE, typeUri);
-
-		StmtIterator stmts = null;
-		ontModel.enterCriticalSection(Lock.READ);
-		try {
-			stmts = ontModel.listStatements(selector);
-			if (stmts.hasNext()) {
-				log.debug("resource '" + resourceUri + "' is of type '"
-						+ typeUri + "'");
-				return true;
-			} else {
-				log.debug("resource '" + resourceUri + "' is not of type '"
-						+ typeUri + "'");
-				return false;
-			}
-		} finally {
-			if (stmts != null) {
-				stmts.close();
-			}
-			ontModel.leaveCriticalSection();
-		}
-	}
-
-	/**
-	 * Get a list of the object URIs that satisfy this statement:
-	 *
-	 * {@code <resourceUri> <propertyUri> <objectUri> }
-	 *
-	 * May return an empty list, but never returns null.
-	 */
-	public List<String> getObjectsOfProperty(String resourceUri,
-			String propertyUri) {
-		List<String> list = new ArrayList<String>();
-
-		Selector selector = createSelector(resourceUri, propertyUri, null);
-
-		StmtIterator stmts = null;
-		ontModel.enterCriticalSection(Lock.READ);
-		try {
-			stmts = ontModel.listStatements(selector);
-			while (stmts.hasNext()) {
-				list.add(stmts.next().getObject().toString());
-			}
-			log.debug("Objects of property '" + propertyUri + "' on resource '"
-					+ resourceUri + "': " + list);
-			return list;
-		} finally {
-			if (stmts != null) {
-				stmts.close();
-			}
-			ontModel.leaveCriticalSection();
-		}
-	}
-
-	/**
-	 * Get a list of the object URIs that satisfy these statements:
-	 *
-	 * {@code <resourceUri> <linkUri> <contextNodeUri> }
-	 *
-	 * {@code <contextNodeUri> <propertyUri> <objectUri> }
-	 *
-	 * May return an empty list, but never returns null.
-	 */
-	public List<String> getObjectsOfLinkedProperty(String resourceUri,
-			String linkUri, String propertyUri) {
-		List<String> list = new ArrayList<String>();
-
-		Selector selector = createSelector(resourceUri, linkUri, null);
-
-		StmtIterator stmts = null;
-
-		ontModel.enterCriticalSection(Lock.READ);
-		try {
-			stmts = ontModel.listStatements(selector);
-			while (stmts.hasNext()) {
-				RDFNode contextNode = stmts.next().getObject();
-				if (contextNode.isResource()) {
-					log.debug("found context node for '" + resourceUri + "': "
-							+ contextNode);
-					list.addAll(getObjectsOfProperty(contextNode.asResource()
-							.getURI(), propertyUri));
-				}
-			}
-			log.debug("Objects of linked properties '" + linkUri + "' ==> '"
-					+ propertyUri + "' on '" + resourceUri + "': " + list);
-			return list;
-		} finally {
-			if (stmts != null) {
-				stmts.close();
-			}
-			ontModel.leaveCriticalSection();
-		}
-	}
-
-	/**
-	 * Get a list of URIs for object that link to the specified resource, by
-	 * means of the specified properties, through a linking node of the
-	 * specified type.
-	 *
-	 * So we're looking for object URIs that statisfy these statements:
-	 *
-	 * {@code <resourceUri> <property1Uri> <linkNodeUri> }
-	 *
-	 * {@code <linkNodeUri> rdfs:type <linkNodeTypeUri> }
-	 *
-	 * {@code <linkNodeUri> <property2Uri> <objectUri> }
-	 */
-	public List<String> getObjectsThroughLinkingNode(String resourceUri,
-			String property1Uri, String linkNodeTypeUri, String property2Uri) {
-		List<String> list = new ArrayList<String>();
-
-		for (String linkNodeUri : getObjectsOfProperty(resourceUri, property1Uri)) {
-			if (isResourceOfType(linkNodeUri, linkNodeTypeUri)) {
-				list.addAll(getObjectsOfProperty(linkNodeUri, property2Uri));
-			}
-		}
-
-		return list;
-	}
-
-	public Selector createSelector(String subjectUri, String predicateUri,
-			String objectUri) {
-		Resource subject = (subjectUri == null) ? null : ontModel
-				.getResource(subjectUri);
-		return createSelector(subject, predicateUri, objectUri);
-	}
-
-	public Selector createSelector(Resource subject, String predicateUri,
-			String objectUri) {
-		Property predicate = (predicateUri == null) ? null : ontModel
-				.getProperty(predicateUri);
-		RDFNode object = (objectUri == null) ? null : ontModel
-				.getResource(objectUri);
-		return new SimpleSelector(subject, predicate, object);
-	}
-
-	/** An AUTHORIZED decision with a message like "PolicyClass: message". */
-	protected PolicyDecision authorizedDecision(String message) {
-		return new BasicPolicyDecision(Authorization.AUTHORIZED, getClass()
-				.getSimpleName() + ": " + message);
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/AllowedAuthorizationRequest.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/AllowedAuthorizationRequest.java
new file mode 100644
index 0000000000..de6e0df893
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/AllowedAuthorizationRequest.java
@@ -0,0 +1,32 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.requestedAction;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult;
+
+public class AllowedAuthorizationRequest extends AuthorizationRequest {
+
+    private DecisionResult decision;
+
+    public AllowedAuthorizationRequest() {
+        decision = DecisionResult.AUTHORIZED;
+    }
+
+    @Override
+    public DecisionResult getPredefinedDecision() {
+        return decision;
+    }
+
+    @Override
+    public AccessObject getAccessObject() {
+        return null;
+    }
+
+    @Override
+    public AccessOperation getAccessOperation() {
+        return null;
+    }
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/AndAuthorizationRequest.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/AndAuthorizationRequest.java
new file mode 100644
index 0000000000..a4b84adc44
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/AndAuthorizationRequest.java
@@ -0,0 +1,51 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.requestedAction;
+
+import java.util.Arrays;
+import java.util.List;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+
+public class AndAuthorizationRequest extends AuthorizationRequest {
+
+    private final AuthorizationRequest ar1;
+    private final AuthorizationRequest ar2;
+
+    AndAuthorizationRequest(AuthorizationRequest ar1, AuthorizationRequest ar2) {
+        this.ar1 = ar1;
+        this.ar2 = ar2;
+    }
+
+    @Override
+    public WRAP_TYPE getWrapType() {
+        return WRAP_TYPE.AND;
+    }
+
+    public List<AuthorizationRequest> getItems() {
+        return Arrays.asList(ar1, ar2);
+    };
+
+    @Override
+    public String toString() {
+        return "(" + ar1 + " && " + ar2 + ")";
+    }
+
+    @Override
+    public AccessObject getAccessObject() {
+        return null;
+    }
+
+    @Override
+    public AccessOperation getAccessOperation() {
+        return null;
+    }
+
+    @Override
+    public IdentifierBundle getIds() {
+        return null;
+    }
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/AuthorizationRequest.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/AuthorizationRequest.java
index 80e3f32cf5..788cb9290c 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/AuthorizationRequest.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/AuthorizationRequest.java
@@ -2,124 +2,91 @@
 
 package edu.cornell.mannlib.vitro.webapp.auth.requestedAction;
 
-import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
 
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult;
 
-/**
- * A base class for RequestedAction that permits boolean operations on them.
- *
- * A null request is ignored, so in "and" it is equivalent to true, while in
- * "or" it is equivalent to false.
- */
 public abstract class AuthorizationRequest {
-	// ----------------------------------------------------------------------
-	// Constants
-	// ----------------------------------------------------------------------
-
-	public static final AuthorizationRequest AUTHORIZED = new AuthorizationRequest() {
-		@Override
-		public boolean isAuthorized(IdentifierBundle ids, PolicyIface policy) {
-			return true;
-		}
-	};
-
-	public static final AuthorizationRequest UNAUTHORIZED = new AuthorizationRequest() {
-		@Override
-		public boolean isAuthorized(IdentifierBundle ids, PolicyIface policy) {
-			return false;
-		}
-	};
-
-	// ----------------------------------------------------------------------
-	// Static convenience methods
-	// ----------------------------------------------------------------------
-
-	public static AuthorizationRequest andAll(AuthorizationRequest... ars) {
-		return andAll(Arrays.asList(ars));
-	}
-
-	public static AuthorizationRequest andAll(
-			Iterable<? extends AuthorizationRequest> ars) {
-		AuthorizationRequest result = AUTHORIZED;
-		for (AuthorizationRequest ar : ars) {
-			result = result.and(ar);
-		}
-		return result;
-	}
-
-	// ----------------------------------------------------------------------
-	// The abstract class
-	// ----------------------------------------------------------------------
-
-	public AuthorizationRequest and(AuthorizationRequest that) {
-		if (that == null) {
-			return this;
-		} else {
-			return new AndAuthorizationRequest(this, that);
-		}
-	}
-
-	public AuthorizationRequest or(AuthorizationRequest that) {
-		if (that == null) {
-			return this;
-		} else {
-			return new OrAuthorizationRequest(this, that);
-		}
-	}
-
-	public abstract boolean isAuthorized(IdentifierBundle ids,
-			PolicyIface policy);
-
-	// ----------------------------------------------------------------------
-	// Subclasses for boolean operations
-	// ----------------------------------------------------------------------
-
-	private static class AndAuthorizationRequest extends AuthorizationRequest {
-		private final AuthorizationRequest ar1;
-		private final AuthorizationRequest ar2;
-
-		private AndAuthorizationRequest(AuthorizationRequest ar1,
-				AuthorizationRequest ar2) {
-			this.ar1 = ar1;
-			this.ar2 = ar2;
-		}
-
-		@Override
-		public boolean isAuthorized(IdentifierBundle ids, PolicyIface policy) {
-			return ar1.isAuthorized(ids, policy)
-					&& ar2.isAuthorized(ids, policy);
-		}
-
-		@Override
-		public String toString() {
-			return "(" + ar1 + " && " + ar2 + ")";
-		}
-
-	}
-
-	private static class OrAuthorizationRequest extends AuthorizationRequest {
-		private final AuthorizationRequest ar1;
-		private final AuthorizationRequest ar2;
-
-		private OrAuthorizationRequest(AuthorizationRequest ar1,
-				AuthorizationRequest ar2) {
-			this.ar1 = ar1;
-			this.ar2 = ar2;
-		}
-
-		@Override
-		public boolean isAuthorized(IdentifierBundle ids, PolicyIface policy) {
-			return ar1.isAuthorized(ids, policy)
-					|| ar2.isAuthorized(ids, policy);
-		}
-
-		@Override
-		public String toString() {
-			return "(" + ar1 + " || " + ar2 + ")";
-		}
-
-	}
 
+    public static final AuthorizationRequest UNAUTHORIZED = new ForbiddenAuthorizationRequest();
+    public static final AuthorizationRequest AUTHORIZED = new AllowedAuthorizationRequest();
+    
+    public static enum WRAP_TYPE { AND , OR } ; 
+    
+    IdentifierBundle ids;
+    private List<String> editorUris = Collections.emptyList();
+    List<String> roleUris = Collections.emptyList();
+
+    
+    public void setRoleUris(List<String> roleUris) {
+        this.roleUris = roleUris;
+    }
+
+    public WRAP_TYPE getWrapType() {
+        return null;
+    }
+
+    public DecisionResult getPredefinedDecision(){
+        return DecisionResult.INCONCLUSIVE;
+    }
+    
+    public List<AuthorizationRequest> getItems() {
+        return Collections.emptyList();
+    }
+    
+    public abstract AccessObject getAccessObject();
+    
+    public abstract AccessOperation getAccessOperation();
+
+    public IdentifierBundle getIds() {
+        return ids;
+    }
+    
+    public List<String> getRoleUris() {
+        return roleUris;
+    }
+    
+    public void setIds(IdentifierBundle ids) {
+        this.ids = ids;
+    }
+
+    public void setEditorUris(List<String> list) {
+        editorUris = list;
+    }
+
+    public List<String> getEditorUris(){
+        return editorUris;
+    }
+
+    public static AuthorizationRequest or(AuthorizationRequest fist, AuthorizationRequest second) {
+        if (fist == null) {
+            return second;
+        } else if (second == null) {
+            return fist;
+        } else {
+            return new OrAuthorizationRequest(fist, second);
+        }
+    }
+    
+    public AuthorizationRequest and(AuthorizationRequest second) {
+        return new AndAuthorizationRequest(this, second);
+    }
+    
+    @Override
+    public String toString() {
+        String result = "";
+        if (!getRoleUris().isEmpty()) {
+            result += String.format("User with roles '%s' ", getRoleUris().toString());
+        }
+        if (!getEditorUris().isEmpty()) {
+            result += String.format(" profile uris '%s' ", getEditorUris().toString());
+        }
+        result += String.format(" requested '%s' ", getAccessOperation());
+        result += String.format(" on '%s' ", getAccessObject());
+        return result;
+    }
 }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ForbiddenAuthorizationRequest.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ForbiddenAuthorizationRequest.java
new file mode 100644
index 0000000000..62b8d6ff68
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ForbiddenAuthorizationRequest.java
@@ -0,0 +1,37 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.requestedAction;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult;
+
+public class ForbiddenAuthorizationRequest extends AuthorizationRequest {
+
+    private DecisionResult predefinedDecision;
+
+    public ForbiddenAuthorizationRequest() {
+        predefinedDecision = DecisionResult.UNAUTHORIZED;
+    }
+
+    @Override
+    public DecisionResult getPredefinedDecision() {
+        return predefinedDecision;
+    }
+
+    @Override
+    public AccessObject getAccessObject() {
+        return null;
+    }
+
+    @Override
+    public AccessOperation getAccessOperation() {
+        return null;
+    }
+
+    @Override
+    public IdentifierBundle getIds() {
+        return null;
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/OrAuthorizationRequest.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/OrAuthorizationRequest.java
new file mode 100644
index 0000000000..e59991120c
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/OrAuthorizationRequest.java
@@ -0,0 +1,51 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.requestedAction;
+
+import java.util.Arrays;
+import java.util.List;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+
+public class OrAuthorizationRequest extends AuthorizationRequest {
+
+    private final AuthorizationRequest ar1;
+    private final AuthorizationRequest ar2;
+
+    OrAuthorizationRequest(AuthorizationRequest ar1, AuthorizationRequest ar2) {
+        this.ar1 = ar1;
+        this.ar2 = ar2;
+    }
+
+    public List<AuthorizationRequest> getItems() {
+        return Arrays.asList(ar1, ar2);
+    };
+
+    @Override
+    public WRAP_TYPE getWrapType() {
+        return WRAP_TYPE.OR;
+    }
+
+    @Override
+    public String toString() {
+        return "(" + ar1 + " || " + ar2 + ")";
+    }
+
+    @Override
+    public AccessObject getAccessObject() {
+        return null;
+    }
+
+    @Override
+    public AccessOperation getAccessOperation() {
+        return null;
+    }
+
+    @Override
+    public IdentifierBundle getIds() {
+        return null;
+    }
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/RequestedAction.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/RequestedAction.java
deleted file mode 100644
index e326674659..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/RequestedAction.java
+++ /dev/null
@@ -1,41 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction;
-
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-
-/* Represents a request to perform an action.    */
-public abstract class RequestedAction extends AuthorizationRequest {
-	public static String ACTION_NAMESPACE = "java:";
-
-	public static String SOME_URI = "?SOME_URI";
-	public static Property SOME_PREDICATE = new Property(SOME_URI);
-	public static String SOME_LITERAL = "?SOME_LITERAL";
-
-	/**
-	 * In its most basic form, a RequestAction needs to have an identifier.
-	 * Sometimes this will be enough.
-	 */
-	public String getURI() {
-		return ACTION_NAMESPACE + this.getClass().getName();
-	}
-
-	/**
-	 * For authorization, just ask the Policy. INCONCLUSIVE is not good enough.
-	 */
-	@Override
-	public final boolean isAuthorized(IdentifierBundle ids, PolicyIface policy) {
-		PolicyDecision decision = policy.isAuthorized(ids, this);
-		return decision.getAuthorized() == Authorization.AUTHORIZED;
-	}
-
-	@Override
-	public String toString() {
-		return this.getClass().getSimpleName();
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/SimpleAuthorizationRequest.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/SimpleAuthorizationRequest.java
new file mode 100644
index 0000000000..8cba356195
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/SimpleAuthorizationRequest.java
@@ -0,0 +1,49 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.requestedAction;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.NamedAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult;
+
+public class SimpleAuthorizationRequest extends AuthorizationRequest {
+
+    private AccessObject object;
+
+    public AccessObject getObject() {
+        return object;
+    }
+
+    public AccessOperation getOperation() {
+        return operation;
+    }
+
+    private AccessOperation operation;
+
+    public SimpleAuthorizationRequest(AccessObject object, AccessOperation operation) {
+        this.object = object;
+        this.operation = operation;
+    }
+
+    public SimpleAuthorizationRequest(String namedAccessObject) {
+        this.object = new NamedAccessObject(namedAccessObject);
+        this.operation = AccessOperation.EXECUTE;
+    }
+
+    @Override
+    public DecisionResult getPredefinedDecision() {
+        return DecisionResult.INCONCLUSIVE;
+    }
+
+    @Override
+    public AccessObject getAccessObject() {
+        return object;
+    }
+
+    @Override
+    public AccessOperation getAccessOperation() {
+        return operation;
+    }
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/SimpleRequestedAction.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/SimpleRequestedAction.java
deleted file mode 100644
index 28ff5ba770..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/SimpleRequestedAction.java
+++ /dev/null
@@ -1,48 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction;
-
-
-/**
- * A RequestedAction that can be recognized by a SimplePermission.
- */
-public class SimpleRequestedAction extends RequestedAction {
-	private final String uri;
-
-	public SimpleRequestedAction(String uri) {
-		if (uri == null) {
-			throw new NullPointerException("uri may not be null.");
-		}
-
-		this.uri = uri;
-	}
-
-	@Override
-	public String getURI() {
-		return uri;
-	}
-
-	@Override
-	public int hashCode() {
-		return uri.hashCode();
-	}
-
-	@Override
-	public boolean equals(Object o) {
-		if (o instanceof SimpleRequestedAction) {
-			SimpleRequestedAction that = (SimpleRequestedAction) o;
-			return equivalent(this.uri, that.uri);
-		}
-		return false;
-	}
-
-	private boolean equivalent(Object o1, Object o2) {
-		return (o1 == null) ? (o2 == null) : o1.equals(o2);
-	}
-
-	@Override
-	public String toString() {
-		return "SimpleRequestedAction['" + uri + "']";
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/AddNewUser.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/AddNewUser.java
deleted file mode 100644
index 0c57618a98..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/AddNewUser.java
+++ /dev/null
@@ -1,11 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.AdminRequestedAction;
-
-/** Should we allow the user to create a user account? */
-public class AddNewUser extends RequestedAction implements AdminRequestedAction{
-	// no members
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/LoadOntology.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/LoadOntology.java
deleted file mode 100644
index ea7027a735..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/LoadOntology.java
+++ /dev/null
@@ -1,19 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.AdminRequestedAction;
-
-/** Should we allow the user to load an ontology? */
-public class LoadOntology extends RequestedAction implements AdminRequestedAction{
-    protected String ontologyUrl;
-
-    public String getOntologyUrl() {
-        return ontologyUrl;
-    }
-
-    public void setOntologyUrl(String ontologyUrl) {
-        this.ontologyUrl = ontologyUrl;
-    }
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/RebuildTextIndex.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/RebuildTextIndex.java
deleted file mode 100644
index e0261e4504..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/RebuildTextIndex.java
+++ /dev/null
@@ -1,10 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.AdminRequestedAction;
-
-public class RebuildTextIndex extends RequestedAction implements AdminRequestedAction{
-	// no members
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/RemoveUser.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/RemoveUser.java
deleted file mode 100644
index 28fd602ad0..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/RemoveUser.java
+++ /dev/null
@@ -1,19 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.AdminRequestedAction;
-
-/** Should we allow the user to remove a user account */
-public class RemoveUser extends RequestedAction implements AdminRequestedAction{
-    protected String userUri;
-
-    public String getUserUri() {
-        return userUri;
-    }
-
-    public void setUserUri(String userUri) {
-        this.userUri = userUri;
-    }
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/ServerStatus.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/ServerStatus.java
deleted file mode 100644
index 8e2ff80ddd..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/ServerStatus.java
+++ /dev/null
@@ -1,11 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.AdminRequestedAction;
-
-/** Should we allow the user to view information about the server status? */
-public class ServerStatus extends RequestedAction implements AdminRequestedAction {
-	// no members
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/UpdateTextIndex.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/UpdateTextIndex.java
deleted file mode 100644
index 2331078236..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/UpdateTextIndex.java
+++ /dev/null
@@ -1,10 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.AdminRequestedAction;
-
-public class UpdateTextIndex extends RequestedAction implements AdminRequestedAction{
-	// no fields
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/UploadFile.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/UploadFile.java
deleted file mode 100644
index 2327ecc4ff..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/admin/UploadFile.java
+++ /dev/null
@@ -1,18 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.AdminRequestedAction;
-
-/** Should we allow the user to upload a file? */
-public class UploadFile extends RequestedAction implements AdminRequestedAction{
-    protected String subjectUri;
-    protected String predicateUri;
-
-    public UploadFile(String subjectUri, String predicateUri) {
-        super();
-        this.subjectUri = subjectUri;
-        this.predicateUri = predicateUri;
-    }
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/display/DisplayDataProperty.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/display/DisplayDataProperty.java
deleted file mode 100644
index a452d40fba..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/display/DisplayDataProperty.java
+++ /dev/null
@@ -1,24 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
-
-/** Should we allow the user to see this DataProperty? */
-public class DisplayDataProperty extends RequestedAction {
-	private final DataProperty dataProperty;
-
-	public DisplayDataProperty(DataProperty dataProperty) {
-		this.dataProperty = dataProperty;
-	}
-
-	public DataProperty getDataProperty() {
-		return dataProperty;
-	}
-
-	@Override
-	public String toString() {
-		return "DisplayDataProperty[" + dataProperty + "]";
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/display/DisplayDataPropertyStatement.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/display/DisplayDataPropertyStatement.java
deleted file mode 100644
index dfa25f1ab2..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/display/DisplayDataPropertyStatement.java
+++ /dev/null
@@ -1,29 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
-
-/** Should we let the user see this DataPropertyStatement? */
-public class DisplayDataPropertyStatement extends RequestedAction {
-	private final DataPropertyStatement dataPropertyStatement;
-
-	public DisplayDataPropertyStatement(
-			DataPropertyStatement dataPropertyStatement) {
-		this.dataPropertyStatement = dataPropertyStatement;
-	}
-
-	public DataPropertyStatement getDataPropertyStatement() {
-		return dataPropertyStatement;
-	}
-
-	@Override
-	public String toString() {
-		return "DisplayDataPropertyStatement["
-				+ dataPropertyStatement.getIndividualURI() + "==>"
-				+ dataPropertyStatement.getDatapropURI() + "==>"
-				+ dataPropertyStatement.getData() + "]";
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/display/DisplayObjectProperty.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/display/DisplayObjectProperty.java
deleted file mode 100644
index 19b5655641..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/display/DisplayObjectProperty.java
+++ /dev/null
@@ -1,25 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
-
-/** Should we allow the user to see this ObjectProperty? */
-public class DisplayObjectProperty extends RequestedAction {
-	private final ObjectProperty objectProperty;
-
-	public DisplayObjectProperty(ObjectProperty objectProperty) {
-		this.objectProperty = objectProperty;
-	}
-
-	public ObjectProperty getObjectProperty() {
-		return objectProperty;
-	}
-
-	@Override
-	public String toString() {
-		return "DisplayObjectProperty[" + objectProperty + "]";
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/display/DisplayObjectPropertyStatement.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/display/DisplayObjectPropertyStatement.java
deleted file mode 100644
index 1decb1196a..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/display/DisplayObjectPropertyStatement.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
-
-/** Should we let the user see this ObjectPropertyStatement? */
-public class DisplayObjectPropertyStatement extends RequestedAction {
-	private final String subjectUri;
-	private final ObjectProperty property;
-	private final String objectUri;
-
-	public DisplayObjectPropertyStatement(String subjectUri,
-			ObjectProperty property, String objectUri) {
-		this.subjectUri = subjectUri;
-		this.property = property;
-		this.objectUri = objectUri;
-	}
-
-	public String getSubjectUri() {
-		return subjectUri;
-	}
-
-	public ObjectProperty getProperty() {
-		return property;
-	}
-
-	public String getObjectUri() {
-		return objectUri;
-	}
-
-	@Override
-	public String toString() {
-		return "DisplayObjectPropertyStatement[" + subjectUri + "==>"
-				+ property.getURI() + "==>" + objectUri + "]";
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ifaces/AdminRequestedAction.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ifaces/AdminRequestedAction.java
deleted file mode 100644
index 25e73019c0..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ifaces/AdminRequestedAction.java
+++ /dev/null
@@ -1,8 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces;
-
-/** Denotes an action that is administrative, like adding users, etc. */
-public interface AdminRequestedAction {
-	/** marker interface */
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ifaces/OntoRequestedAction.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ifaces/OntoRequestedAction.java
deleted file mode 100644
index cc2382901b..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ifaces/OntoRequestedAction.java
+++ /dev/null
@@ -1,8 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces;
-
-/** Denotes an action that relates to manipulating the ontology. */
-public interface OntoRequestedAction {
-	/** marker interface */
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ifaces/RequiresActions.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ifaces/RequiresActions.java
deleted file mode 100644
index 7199b0f9f6..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ifaces/RequiresActions.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
-import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
-
-/**
- * Interface to objects that provide a list of Actions that are
- * required for the object to be used.
- *
- * This is intended to provide a way to setup DataGetter
- * objects to be used with the FreemarkerHttpServlet.requiredActions()
- * method.
- *
- * @author bdc34
- */
-public interface RequiresActions {
-
-    /**
-     * Returns Actions that are required to be authorized for
-     * the object to be used.
-     *
-     * The code that is calling this method
-     * could use methods from PolicyHelper to check if the
-     * request has authorization to do these Actions. The code
-     * calling this method would then have the ability to
-     * deny the action if it is not authorized.
-     *
-     * @param vreq Vitro request
-     * @return Should not be null. Return Actions.AUTHORIZED
-     * if no authorization is required to do use the object.
-     */
-    public AuthorizationRequest requiredActions(VitroRequest vreq) ;
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ifaces/SingleParameterAction.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ifaces/SingleParameterAction.java
deleted file mode 100644
index f460e4feb9..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ifaces/SingleParameterAction.java
+++ /dev/null
@@ -1,25 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-
-/**
- * A base class for actions that involve a single URI.
- */
-public abstract class SingleParameterAction extends RequestedAction {
-    protected String subjectUri;
-
-    public String getSubjectUri() {
-        return subjectUri;
-    }
-
-    public void setSubjectUri(String subjectUri) {
-        this.subjectUri = subjectUri;
-    }
-
-    @Override
-	public String toString(){
-        return this.getClass().getName() + " <"+subjectUri+">";
-    }
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ontology/CreateOwlClass.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ontology/CreateOwlClass.java
deleted file mode 100644
index 36b7f732c4..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ontology/CreateOwlClass.java
+++ /dev/null
@@ -1,11 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.OntoRequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.SingleParameterAction;
-
-/** Should we allow the user to create a new class in the ontology? */
-public class CreateOwlClass extends SingleParameterAction implements OntoRequestedAction {
-	// no fields
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ontology/DefineDataProperty.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ontology/DefineDataProperty.java
deleted file mode 100644
index f7667d5f91..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ontology/DefineDataProperty.java
+++ /dev/null
@@ -1,11 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.OntoRequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.SingleParameterAction;
-
-/** Should we allow the user to define a data property in the ontology? */
-public class DefineDataProperty extends SingleParameterAction implements OntoRequestedAction{
-	// no fields
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ontology/DefineObjectProperty.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ontology/DefineObjectProperty.java
deleted file mode 100644
index 63d1898837..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ontology/DefineObjectProperty.java
+++ /dev/null
@@ -1,11 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.OntoRequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.SingleParameterAction;
-
-/** Should we allow the user to define a new object property in the ontology? */
-public class DefineObjectProperty extends SingleParameterAction implements OntoRequestedAction{
-	// no fields
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ontology/RemoveOwlClass.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ontology/RemoveOwlClass.java
deleted file mode 100644
index 495116aaeb..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/ontology/RemoveOwlClass.java
+++ /dev/null
@@ -1,11 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.OntoRequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.SingleParameterAction;
-
-/** Should we allow the user to remove a class from the ontology? */
-public class RemoveOwlClass extends SingleParameterAction implements OntoRequestedAction{
-	// no fields
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/AbstractDataPropertyStatementAction.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/AbstractDataPropertyStatementAction.java
deleted file mode 100644
index 2d9a17338b..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/AbstractDataPropertyStatementAction.java
+++ /dev/null
@@ -1,72 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt;
-
-import org.apache.jena.ontology.OntModel;
-
-import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-
-/**
- * A base class for requested actions that involve adding, editing, or dropping
- * data property statements from a model.
- */
-public abstract class AbstractDataPropertyStatementAction extends
-		AbstractPropertyStatementAction {
-	private final String subjectUri;
-	private final String predicateUri;
-	private final Property predicate;
-	private final String dataValue;
-
-	public AbstractDataPropertyStatementAction(OntModel ontModel,
-			String subjectUri, String predicateUri, String dataValue) {
-		super(ontModel);
-		this.subjectUri = subjectUri;
-		this.predicateUri = predicateUri;
-		Property dataProperty = new Property();
-		dataProperty.setURI(predicateUri);
-		this.predicate = dataProperty;
-		this.dataValue = dataValue;
-	}
-
-	public AbstractDataPropertyStatementAction(OntModel ontModel,
-			DataPropertyStatement dps) {
-		super(ontModel);
-		this.subjectUri = (dps.getIndividual() == null) ? dps
-				.getIndividualURI() : dps.getIndividual().getURI();
-		this.predicateUri = dps.getDatapropURI();
-	    Property dataProperty = new Property();
-	    dataProperty.setURI(predicateUri);
-	    this.predicate = dataProperty;
-	    this.dataValue = dps.getData();
-	}
-
-	public String getSubjectUri() {
-		return subjectUri;
-	}
-
-	@Override
-	public Property getPredicate() {
-	    return predicate;
-	}
-
-	@Override
-	public String getPredicateUri() {
-		return predicateUri;
-	}
-
-	@Override
-	public String[] getResourceUris() {
-		return new String[] {subjectUri};
-	}
-
-	public String dataValue() {
-		return dataValue;
-	}
-
-	@Override
-	public String toString() {
-		return getClass().getSimpleName() + ": <" + subjectUri + "> <"
-				+ predicateUri + ">";
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/AbstractObjectPropertyStatementAction.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/AbstractObjectPropertyStatementAction.java
deleted file mode 100644
index 2e70191e10..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/AbstractObjectPropertyStatementAction.java
+++ /dev/null
@@ -1,55 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt;
-
-import org.apache.jena.ontology.OntModel;
-
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-
-/**
- * A base class for requested actions that involve adding, editing, or deleting
- * object property statements from a model.
- */
-public abstract class AbstractObjectPropertyStatementAction extends
-		AbstractPropertyStatementAction {
-	private final String subjectUri;
-	private final Property predicate;
-	private final String objectUri;
-
-	public AbstractObjectPropertyStatementAction(OntModel ontModel,
-			String subjectUri, Property predicate, String objectUri) {
-		super(ontModel);
-		this.subjectUri = subjectUri;
-		this.predicate = predicate;
-		this.objectUri = objectUri;
-	}
-
-	public String getSubjectUri() {
-		return subjectUri;
-	}
-
-	public String getObjectUri() {
-		return objectUri;
-	}
-
-	@Override
-	public Property getPredicate() {
-		return predicate;
-	}
-
-	@Override
-	public String getPredicateUri() {
-		return predicate.getURI();
-	}
-
-	@Override
-	public String[] getResourceUris() {
-		return new String[] { subjectUri, objectUri };
-	}
-
-	@Override
-	public String toString() {
-		return this.getClass().getSimpleName() + ": <" + subjectUri + "> <"
-				+ predicate.getURI() + "> <" + objectUri + ">";
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/AbstractPropertyStatementAction.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/AbstractPropertyStatementAction.java
deleted file mode 100644
index b0351a9d45..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/AbstractPropertyStatementAction.java
+++ /dev/null
@@ -1,34 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt;
-
-import org.apache.jena.ontology.OntModel;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-
-/**
- * A base class for requested actions that involve adding, editing, or deleting
- * statements from a model.
- */
-public abstract class AbstractPropertyStatementAction extends RequestedAction {
-	private final OntModel ontModel;
-
-	public AbstractPropertyStatementAction(OntModel ontModel) {
-		this.ontModel = ontModel;
-	}
-
-	public OntModel getOntModel() {
-		return ontModel;
-	}
-
-	/**
-	 * Get the URI of the Resources that are involved in this statement. Those
-	 * are the Subject, and the Object if this is an ObjectProperty request.
-	 */
-	public abstract String[] getResourceUris();
-
-	public abstract Property getPredicate();
-
-	public abstract String getPredicateUri();
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/AddDataPropertyStatement.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/AddDataPropertyStatement.java
deleted file mode 100644
index 8b49ddc6b9..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/AddDataPropertyStatement.java
+++ /dev/null
@@ -1,24 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt;
-
-import org.apache.jena.ontology.OntModel;
-
-import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
-
-/**
- * Should we allow the user to add this DataPropertyStatement to this model?
- */
-public class AddDataPropertyStatement extends
-		AbstractDataPropertyStatementAction {
-
-	public AddDataPropertyStatement(OntModel ontModel, String subjectUri,
-			String predicateUri, String dataValue) {
-		super(ontModel, subjectUri, predicateUri, dataValue);
-	}
-
-	public AddDataPropertyStatement(OntModel ontModel, DataPropertyStatement dps) {
-		super(ontModel, dps);
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/AddObjectPropertyStatement.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/AddObjectPropertyStatement.java
deleted file mode 100644
index cc3f53dc65..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/AddObjectPropertyStatement.java
+++ /dev/null
@@ -1,19 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt;
-
-import org.apache.jena.ontology.OntModel;
-
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-
-/**
- * Should we allow the user to add this ObjectPropertyStatement to this model?
- */
-public class AddObjectPropertyStatement extends
-		AbstractObjectPropertyStatementAction {
-	public AddObjectPropertyStatement(OntModel ontModel, String uriOfSub,
-			Property predicate, String uriOfObj) {
-		super(ontModel, uriOfSub, predicate, uriOfObj);
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/DropDataPropertyStatement.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/DropDataPropertyStatement.java
deleted file mode 100644
index e801837dc1..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/DropDataPropertyStatement.java
+++ /dev/null
@@ -1,25 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt;
-
-import org.apache.jena.ontology.OntModel;
-
-import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
-
-/**
- * Should we allow the user to delete this DataPropertyStatement from this
- * model?
- */
-public class DropDataPropertyStatement extends
-		AbstractDataPropertyStatementAction {
-
-	public DropDataPropertyStatement(OntModel ontModel, String subjectUri,
-			String predicateUri, String dataValue) {
-		super(ontModel, subjectUri, predicateUri, dataValue);
-	}
-
-	public DropDataPropertyStatement(OntModel ontModel,
-			DataPropertyStatement dps) {
-		super(ontModel, dps);
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/DropObjectPropertyStatement.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/DropObjectPropertyStatement.java
deleted file mode 100644
index 36549b8b8f..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/DropObjectPropertyStatement.java
+++ /dev/null
@@ -1,19 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt;
-
-import org.apache.jena.ontology.OntModel;
-
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-
-/**
- * Should we allow the user to delete this ObjectPropertyStatement from this
- * model?
- */
-public class DropObjectPropertyStatement extends
-		AbstractObjectPropertyStatementAction {
-	public DropObjectPropertyStatement(OntModel ontModel, String sub,
-			Property pred, String obj) {
-		super(ontModel, sub, pred, obj);
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/EditDataPropertyStatement.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/EditDataPropertyStatement.java
deleted file mode 100644
index 8fe4939d68..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/EditDataPropertyStatement.java
+++ /dev/null
@@ -1,23 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt;
-
-import org.apache.jena.ontology.OntModel;
-
-import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
-
-/**
- * Should we allow the user to edit this DataPropertyStatement in this model?
- */
-public class EditDataPropertyStatement extends
-		AbstractDataPropertyStatementAction {
-	public EditDataPropertyStatement(OntModel ontModel, String subjectUri,
-			String predicateUri, String dataValue) {
-		super(ontModel, subjectUri, predicateUri, dataValue);
-	}
-
-	public EditDataPropertyStatement(OntModel ontModel,
-			DataPropertyStatement dps) {
-		super(ontModel, dps);
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/EditObjectPropertyStatement.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/EditObjectPropertyStatement.java
deleted file mode 100644
index d85bfe7842..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/propstmt/EditObjectPropertyStatement.java
+++ /dev/null
@@ -1,18 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt;
-
-import org.apache.jena.ontology.OntModel;
-
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-
-/**
- * Should we allow the user to edit this ObjectPropertyStatement in this model?
- */
-public class EditObjectPropertyStatement extends
-		AbstractObjectPropertyStatementAction {
-	public EditObjectPropertyStatement(OntModel ontModel, String subjectUri,
-			Property keywordPred, String objectUri) {
-		super(ontModel, subjectUri, keywordPred, objectUri);
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/publish/PublishDataProperty.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/publish/PublishDataProperty.java
deleted file mode 100644
index e3d36a3e36..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/publish/PublishDataProperty.java
+++ /dev/null
@@ -1,24 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.publish;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
-
-/** Should we allow the user to publish this DataProperty in Linked Open Data? */
-public class PublishDataProperty extends RequestedAction {
-	private final DataProperty dataProperty;
-
-	public PublishDataProperty(DataProperty dataProperty) {
-		this.dataProperty = dataProperty;
-	}
-
-	public DataProperty getDataProperty() {
-		return dataProperty;
-	}
-
-	@Override
-	public String toString() {
-		return "PublishDataProperty[" + dataProperty + "]";
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/publish/PublishDataPropertyStatement.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/publish/PublishDataPropertyStatement.java
deleted file mode 100644
index 03c019a80d..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/publish/PublishDataPropertyStatement.java
+++ /dev/null
@@ -1,26 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.publish;
-
-import org.apache.jena.ontology.OntModel;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractDataPropertyStatementAction;
-import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
-
-/**
- * Should we publish this DataPropertyStatement in a Linked Open Data request
- * from the current user?
- */
-public class PublishDataPropertyStatement extends
-		AbstractDataPropertyStatementAction {
-	public PublishDataPropertyStatement(OntModel ontModel, String subjectUri,
-			String predicateUri, String dataValue) {
-		super(ontModel, subjectUri, predicateUri, dataValue);
-	}
-
-	public PublishDataPropertyStatement(OntModel ontModel,
-			DataPropertyStatement dps) {
-		super(ontModel, dps);
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/publish/PublishObjectProperty.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/publish/PublishObjectProperty.java
deleted file mode 100644
index 5120a04cf0..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/publish/PublishObjectProperty.java
+++ /dev/null
@@ -1,24 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.publish;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
-
-/** Should we allow the user to publish this ObjectProperty in Linked Open Data? */
-public class PublishObjectProperty extends RequestedAction {
-	private final ObjectProperty objectProperty;
-
-	public PublishObjectProperty(ObjectProperty objectProperty) {
-		this.objectProperty = objectProperty;
-	}
-
-	public ObjectProperty getObjectProperty() {
-		return objectProperty;
-	}
-
-	@Override
-	public String toString() {
-		return "PublishObjectProperty[" + objectProperty.getLocalName() + "]";
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/publish/PublishObjectPropertyStatement.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/publish/PublishObjectPropertyStatement.java
deleted file mode 100644
index cf593284fa..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/publish/PublishObjectPropertyStatement.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.publish;
-
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_URI;
-
-import org.apache.jena.ontology.OntModel;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyStatementAction;
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-
-/**
- * Should we publish this ObjectPropertyStatement in a Linked Open Data request
- * from the current user?
- */
-
-public class PublishObjectPropertyStatement extends
-		AbstractObjectPropertyStatementAction {
-	public PublishObjectPropertyStatement(OntModel ontModel, String subjectUri,
-			Property keywordPred, String objectUri) {
-		super(ontModel, subjectUri, keywordPred, objectUri);
-	}
-
-	/**
-	 * We don't need to know range and domain because publishing never involves
-	 * faux properties.
-	 */
-	public PublishObjectPropertyStatement(OntModel ontModel,
-			String subjectUri,
-			String predicateUri, String objectUri) {
-		this(ontModel, subjectUri, populateProperty(predicateUri), objectUri);
-	}
-
-	private static Property populateProperty(String predicateUri) {
-		Property prop = new Property(predicateUri);
-		prop.setDomainVClassURI(SOME_URI);
-		prop.setRangeVClassURI(SOME_URI);
-		return prop;
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/resource/AbstractResourceAction.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/resource/AbstractResourceAction.java
deleted file mode 100644
index a3354af9d6..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/resource/AbstractResourceAction.java
+++ /dev/null
@@ -1,33 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-
-/**
- * A common base class for resource-related actions.
- */
-public abstract class AbstractResourceAction extends RequestedAction {
-	private final String typeUri;
-	private final String subjectUri;
-
-	public AbstractResourceAction(String typeUri, String subjectUri) {
-		this.typeUri = typeUri;
-		this.subjectUri = subjectUri;
-	}
-
-	// This should return a list of type URIs since an Indiviudal can be
-	// multiple types.
-	public String getTypeUri() {
-		return typeUri;
-	}
-
-	public String getSubjectUri() {
-		return subjectUri;
-	}
-
-	@Override
-	public String toString() {
-		return this.getClass().getSimpleName() + " <" + subjectUri + ">";
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/resource/AddResource.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/resource/AddResource.java
deleted file mode 100644
index 6f748975b6..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/resource/AddResource.java
+++ /dev/null
@@ -1,11 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource;
-
-/** Should we allow the user to add a Resource to the model? */
-public class AddResource extends AbstractResourceAction {
-
-	public AddResource(String typeUri, String subjectUri) {
-		super(typeUri, subjectUri);
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/resource/DropResource.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/resource/DropResource.java
deleted file mode 100644
index 7dadddc433..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/resource/DropResource.java
+++ /dev/null
@@ -1,11 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource;
-
-/** Should we allow the user to delete a Resource from the model? */
-public class DropResource extends AbstractResourceAction {
-
-	public DropResource(String typeUri, String subjectUri) {
-		super(typeUri, subjectUri);
-	}
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/ManageRootAccount.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/ManageRootAccount.java
deleted file mode 100644
index f2603b34aa..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/ManageRootAccount.java
+++ /dev/null
@@ -1,12 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-
-/**
- * Should we allow the user to edit or delete the root account?
- */
-public class ManageRootAccount extends RequestedAction {
-	// no fields
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/UsePagesRequestedAction.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/UsePagesRequestedAction.java
deleted file mode 100644
index 7910825dd7..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/UsePagesRequestedAction.java
+++ /dev/null
@@ -1,8 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages;
-
-/** Denotes a request to use a particular page or group of pages. */
-public interface UsePagesRequestedAction {
-	/** marker interface */
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/rules/AccessRule.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/rules/AccessRule.java
new file mode 100644
index 0000000000..42ba614897
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/rules/AccessRule.java
@@ -0,0 +1,37 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.rules;
+
+import java.util.List;
+import java.util.Set;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.Attribute;
+import edu.cornell.mannlib.vitro.webapp.auth.checks.Check;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
+
+public interface AccessRule {
+
+    boolean isAllowMatched();
+
+    void setAllowMatched(boolean allowMatched);
+
+    String getRuleUri();
+
+    void setRuleUri(String ruleUri);
+
+    List<Check> getChecks();
+
+    boolean match(AuthorizationRequest ar);
+
+    void addCheck(Check attr);
+
+    Set<String> getCheckUris();
+
+    boolean containsCheckUri(String uri);
+
+    Set<Check> getChecksByType(Attribute type);
+
+    long getChecksCount();
+
+    Check getCheck(String uri);
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/rules/AccessRuleFactory.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/rules/AccessRuleFactory.java
new file mode 100644
index 0000000000..8c08ebf077
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/rules/AccessRuleFactory.java
@@ -0,0 +1,33 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.rules;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueKey;
+import edu.cornell.mannlib.vitro.webapp.auth.checks.CheckFactory;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyLoader;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.jena.query.QuerySolution;
+
+public class AccessRuleFactory {
+
+    private static final Log log = LogFactory.getLog(AccessRuleFactory.class);
+
+    public static AccessRule createRule(QuerySolution qs) {
+        return createRule(qs, null);
+    }
+
+    public static AccessRule createRule(QuerySolution qs, AttributeValueKey key) {
+        AccessRule ar = new FastFailAccessRule();
+        String ruleUri = qs.getResource(PolicyLoader.RULE).getURI();
+        ar.setRuleUri(ruleUri);
+        ar.addCheck(CheckFactory.createCheck(qs, key));
+        if (qs.contains("decision_id") && qs.get("decision_id").isLiteral()) {
+            String decisionId = qs.getLiteral("decision_id").getString();
+            if (RuleDecision.DENY.toString().equals(decisionId)) {
+                ar.setAllowMatched(false);
+            }
+        }
+        return ar;
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/rules/FastFailAccessRule.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/rules/FastFailAccessRule.java
new file mode 100644
index 0000000000..82d46e5fec
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/rules/FastFailAccessRule.java
@@ -0,0 +1,130 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.rules;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.Attribute;
+import edu.cornell.mannlib.vitro.webapp.auth.checks.Check;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
+import org.apache.commons.lang3.builder.EqualsBuilder;
+import org.apache.commons.lang3.builder.HashCodeBuilder;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class FastFailAccessRule implements AccessRule {
+    private static final Log log = LogFactory.getLog(FastFailAccessRule.class);
+    protected Map<String, Check> checksMap = new HashMap<>();
+    protected List<Check> checks = new ArrayList<Check>();
+    private static final Comparator<Check> comparator = getAttributeComparator();
+
+    private boolean allowMatched = true;
+    private String ruleUri;
+
+    public boolean isAllowMatched() {
+        return allowMatched;
+    }
+
+    public void setAllowMatched(boolean allowMatched) {
+        this.allowMatched = allowMatched;
+    }
+
+    public String getRuleUri() {
+        return ruleUri;
+    }
+
+    public void setRuleUri(String ruleUri) {
+        this.ruleUri = ruleUri;
+    }
+
+    public List<Check> getChecks() {
+        return checks;
+    }
+
+    public boolean match(AuthorizationRequest ar) {
+        for (Check check : checks) {
+            if (!check.check(ar)) {
+                if (log.isDebugEnabled()) {
+                    log.debug(String.format("Check %s didn't match request %s", check.getUri(), ar));
+                }
+                return false;
+            }
+        }
+        return true;
+    }
+
+    public void addCheck(Check attr) {
+        if (checksMap.containsKey(attr.getUri())) {
+            log.error(String.format("Check %s already exists in the rule", attr.getUri()));
+        }
+        checks.add(attr);
+        Collections.sort(checks, comparator);
+        checksMap.put(attr.getUri(), attr);
+    }
+
+    @Override
+    public boolean equals(Object object) {
+        if (!(object instanceof AccessRule)) {
+            return false;
+        }
+        if (object == this) {
+            return true;
+        }
+        AccessRule compared = (AccessRule) object;
+
+        return new EqualsBuilder()
+                .append(getRuleUri(), compared.getRuleUri())
+                .append(getChecks(), compared.getChecks())
+                .isEquals();
+    }
+
+    @Override
+    public int hashCode() {
+        return new HashCodeBuilder(15, 101)
+                .append(getChecks())
+                .append(getRuleUri())
+                .toHashCode();
+    }
+
+    public Set<String> getCheckUris() {
+        return checksMap.keySet();
+    }
+
+    public boolean containsCheckUri(String uri) {
+        return checksMap.containsKey(uri);
+    }
+
+    public Set<Check> getChecksByType(Attribute type) {
+        return getChecks().stream().filter(a -> a.getAttributeType().equals(type)).collect(Collectors.toSet());
+    }
+
+    public long getChecksCount() {
+        return checks.size();
+    }
+
+    public Check getCheck(String uri) {
+        return checksMap.get(uri);
+    }
+
+    private static Comparator<Check> getAttributeComparator() {
+        return new Comparator<Check>() {
+            @Override
+            public int compare(Check latt, Check ratt) {
+                if (latt.getComputationalCost() > ratt.getComputationalCost()) {
+                    return -1;
+                } else if (latt.getComputationalCost() < ratt.getComputationalCost()) {
+                    return 1;
+                }
+                return latt.getUri().compareTo(latt.getUri());
+            }
+        };
+    }
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/rules/RuleDecision.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/rules/RuleDecision.java
new file mode 100644
index 0000000000..cb65e2bfa0
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/rules/RuleDecision.java
@@ -0,0 +1,8 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.rules;
+
+public enum RuleDecision {
+    ALLOW,
+    DENY
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/BaseResourceBean.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/BaseResourceBean.java
index 9633414c3a..802a206cfb 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/BaseResourceBean.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/BaseResourceBean.java
@@ -2,18 +2,12 @@
 
 package edu.cornell.mannlib.vitro.webapp.beans;
 
-import java.util.Set;
-
-import javax.servlet.http.HttpServletRequest;
-
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 import org.apache.jena.rdf.model.Resource;
 import org.apache.jena.rdf.model.ResourceFactory;
 
-import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
-import edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionSets;
 import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
 
 public class BaseResourceBean implements ResourceBean {
@@ -25,94 +19,6 @@ public class BaseResourceBean implements ResourceBean {
     protected String localNameWithPrefix = null;
     protected String pickListName = null;
 
-    protected RoleLevel hiddenFromDisplayBelowRoleLevel = null;
-    protected RoleLevel prohibitedFromUpdateBelowRoleLevel = null;
-    protected RoleLevel hiddenFromPublishBelowRoleLevel = null;
-
-	public enum RoleLevel {
-		PUBLIC("http://vitro.mannlib.cornell.edu/ns/vitro/role#public",
-				"all users, including public", "all users who can log in",
-				"public"),
-
-		SELF("http://vitro.mannlib.cornell.edu/ns/vitro/role#selfEditor",
-				"self-editor and above", "self-editor and above", "self"),
-
-		EDITOR("http://vitro.mannlib.cornell.edu/ns/vitro/role#editor",
-				"editor and above", "editor and above", "editor"),
-
-		CURATOR("http://vitro.mannlib.cornell.edu/ns/vitro/role#curator",
-				"curator and above", "curator and above", "curator"),
-
-		DB_ADMIN("http://vitro.mannlib.cornell.edu/ns/vitro/role#dbAdmin",
-				"site admin and root user", "site admin and root user",
-				"siteAdmin"),
-
-		NOBODY("http://vitro.mannlib.cornell.edu/ns/vitro/role#nobody",
-				"root user", "root user", "root");
-
-		private final String uri;
-		private final String displayLabel;
-		private final String updateLabel;
-		private final String shorthand;
-
-		private RoleLevel(String uri, String displayLabel, String updateLabel,
-				String shorthand) {
-			this.uri = uri;
-			this.displayLabel = displayLabel;
-			this.updateLabel = updateLabel;
-			this.shorthand = shorthand;
-		}
-
-		public String getURI() {
-			return uri;
-		}
-
-		public String getDisplayLabel() {
-			return displayLabel;
-		}
-
-		public String getUpdateLabel() {
-			return updateLabel;
-		}
-
-		public String getShorthand() {
-			return shorthand;
-		}
-
-		// Never returns null.
-		public static RoleLevel getRoleByUri(String uri2) {
-			if (uri2 == null)
-				return RoleLevel.values()[0];
-
-			for (RoleLevel role : RoleLevel.values()) {
-				if (role.uri.equals(uri2))
-					return role;
-			}
-			return RoleLevel.values()[0];
-		}
-
-		public static RoleLevel getRoleFromLoginStatus(HttpServletRequest req) {
-			UserAccount u = LoginStatusBean.getCurrentUser(req);
-			if (u == null) {
-				return PUBLIC;
-			}
-
-			Set<String> roles = u.getPermissionSetUris();
-			if (roles.contains(PermissionSets.URI_DBA)) {
-				return DB_ADMIN;
-			} else if (roles.contains(PermissionSets.URI_CURATOR)) {
-				return CURATOR;
-			} else if (roles.contains(PermissionSets.URI_EDITOR)) {
-				return EDITOR;
-			} else if (roles.contains(PermissionSets.URI_SELF_EDITOR)) {
-				return SELF;
-			} else {
-				// Logged in but with no recognized role? Make them SELF
-				return SELF;
-			}
-		}
-	}
-
 	public BaseResourceBean() {
 	    // default constructor
 	}
@@ -203,51 +109,6 @@ public void setPickListName(String pickListName) {
         this.pickListName = pickListName;
     }
 
-    @Override
-	public RoleLevel getHiddenFromDisplayBelowRoleLevel() {
-        return hiddenFromDisplayBelowRoleLevel;
-    }
-
-    @Override
-	public void setHiddenFromDisplayBelowRoleLevel(RoleLevel level) {
-        hiddenFromDisplayBelowRoleLevel = level;
-    }
-
-    @Override
-	public void setHiddenFromDisplayBelowRoleLevelUsingRoleUri(String roleUri) {
-        hiddenFromDisplayBelowRoleLevel = RoleLevel.getRoleByUri(roleUri);
-    }
-
-    @Override
-	public RoleLevel getProhibitedFromUpdateBelowRoleLevel() {
-        return prohibitedFromUpdateBelowRoleLevel;
-    }
-
-    @Override
-	public void setProhibitedFromUpdateBelowRoleLevel(RoleLevel level) {
-        prohibitedFromUpdateBelowRoleLevel = level;
-    }
-
-    @Override
-	public void setProhibitedFromUpdateBelowRoleLevelUsingRoleUri(String roleUri) {
-        prohibitedFromUpdateBelowRoleLevel = RoleLevel.getRoleByUri(roleUri);
-    }
-
-	@Override
-	public RoleLevel getHiddenFromPublishBelowRoleLevel() {
-        return hiddenFromPublishBelowRoleLevel;
-	}
-
-    @Override
-	public void setHiddenFromPublishBelowRoleLevel(RoleLevel level) {
-        hiddenFromPublishBelowRoleLevel = level;
-    }
-
-    @Override
-	public void setHiddenFromPublishBelowRoleLevelUsingRoleUri(String roleUri) {
-    	hiddenFromPublishBelowRoleLevel = BaseResourceBean.RoleLevel.getRoleByUri(roleUri);
-    }
-
 	@Override
 	public boolean equals(Object obj) {
 		if(obj == null )
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/DataProperty.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/DataProperty.java
index 05bc0396ac..4a39698beb 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/DataProperty.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/DataProperty.java
@@ -6,15 +6,13 @@
 import java.util.List;
 import java.util.LinkedList;
 
-import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.RoleRestrictedProperty;
-
 /**
  * class representing a property that relates an entity (object)
  * to a data literal
  * @author bjl23
  *
  */
-public class DataProperty extends Property implements Comparable<DataProperty>, ResourceBean, RoleRestrictedProperty {
+public class DataProperty extends Property implements Comparable<DataProperty>, ResourceBean {
 
     private String name = null;
     private String publicName = null;
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/FauxProperty.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/FauxProperty.java
index cebc1d68b5..baa76aab5e 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/FauxProperty.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/FauxProperty.java
@@ -8,14 +8,11 @@
 
 import org.apache.commons.lang3.StringUtils;
 
-import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.RoleRestrictedProperty;
-
 /**
  * Represents a specialization on an ObjectProperty, only meaningful for
  * display.
  */
-public class FauxProperty extends BaseResourceBean implements ResourceBean,
-		RoleRestrictedProperty {
+public class FauxProperty extends Property implements ResourceBean {
 	// Must be null on insert. Must not be null on update. Ignored on delete.
 	private String contextUri;
 	// Must be null on insert. Must not be null on update. Ignored on delete.
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/ObjectProperty.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/ObjectProperty.java
index 87cf27dfb4..b409494574 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/ObjectProperty.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/ObjectProperty.java
@@ -16,13 +16,11 @@
 
 import org.apache.jena.datatypes.xsd.XSDDatatype;
 
-import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.RoleRestrictedProperty;
-
 /**
  * a class representing an object property
  *
  */
-public class ObjectProperty extends Property implements Comparable<ObjectProperty>, ResourceBean, Cloneable, RoleRestrictedProperty
+public class ObjectProperty extends Property implements Comparable<ObjectProperty>, ResourceBean, Cloneable
 {
 	private static final Log log = LogFactory.getLog(ObjectProperty.class.getName());
 
@@ -631,8 +629,6 @@ public ObjectProperty clone()
         clone.setExample(this.getExample());
         clone.setFunctional(this.getFunctional());
         clone.setGroupURI(this.getGroupURI());
-        clone.setHiddenFromDisplayBelowRoleLevel(this.getHiddenFromDisplayBelowRoleLevel());
-        clone.setHiddenFromPublishBelowRoleLevel(this.getHiddenFromPublishBelowRoleLevel());
         clone.setInverseFunctional(this.getInverseFunctional());
         clone.setLabel(this.getLabel());
         clone.setLocalName(this.getLocalName());
@@ -644,7 +640,6 @@ public ObjectProperty clone()
         clone.setOfferCreateNewOption(this.getOfferCreateNewOption());
         clone.setParentURI(this.getParentURI());
         clone.setPickListName(this.getPickListName());
-        clone.setProhibitedFromUpdateBelowRoleLevel(this.getProhibitedFromUpdateBelowRoleLevel());
         clone.setPublicDescription(this.getPublicDescription());
         clone.setRangeDisplayLimit(this.getRangeDisplayLimit());
         clone.setRangeDisplayTier(this.getRangeDisplayTier());
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/ResourceBean.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/ResourceBean.java
index 1e8a2cdfbd..716cdfe55e 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/ResourceBean.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/ResourceBean.java
@@ -2,8 +2,6 @@
 
 package edu.cornell.mannlib.vitro.webapp.beans;
 
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
-
 /**
  * User: bdc34
  * Date: Oct 18, 2007
@@ -27,24 +25,6 @@ public interface ResourceBean {
 
     String getLabel();
 
-    public RoleLevel getHiddenFromDisplayBelowRoleLevel() ;
-
-    public void setHiddenFromDisplayBelowRoleLevel(RoleLevel eR) ;
-
-    public void setHiddenFromDisplayBelowRoleLevelUsingRoleUri(String roleUri) ;
-
-    public RoleLevel getProhibitedFromUpdateBelowRoleLevel() ;
-
-    public void setProhibitedFromUpdateBelowRoleLevel(RoleLevel eR) ;
-
-    public void setProhibitedFromUpdateBelowRoleLevelUsingRoleUri(String roleUri) ;
-
-    public RoleLevel getHiddenFromPublishBelowRoleLevel() ;
-
-    public void setHiddenFromPublishBelowRoleLevel(RoleLevel eR) ;
-
-    public void setHiddenFromPublishBelowRoleLevelUsingRoleUri(String roleUri) ;
-
     public String getPickListName();
 
 }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/SelfEditingConfiguration.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/SelfEditingConfiguration.java
index 06eab4472b..b9d8795c02 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/SelfEditingConfiguration.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/SelfEditingConfiguration.java
@@ -21,13 +21,22 @@
  * used methods on those properties.
  */
 public class SelfEditingConfiguration {
-	private static final Log log = LogFactory
-			.getLog(SelfEditingConfiguration.class);
+	private static final Log log = LogFactory.getLog(SelfEditingConfiguration.class);
 
-	private static final String BEAN_ATTRIBUTE = SelfEditingConfiguration.class
-			.getName();
+	private static SelfEditingConfiguration INSTANCE;
 
-	/**
+	public static SelfEditingConfiguration getInstance() {
+        if (INSTANCE != null) {
+            return INSTANCE;
+        }
+
+        SelfEditingConfiguration bean = buildBean();
+        log.debug("Created a bean: " + bean);
+        INSTANCE = bean;
+        return bean;
+    }
+
+    /**
 	 * This configuration property tells us which data property on the
 	 * Individual is used to associate it with a net ID.
 	 */
@@ -65,20 +74,11 @@ public static SelfEditingConfiguration getBean(ServletRequest request) {
 	 * Never returns null.
 	 */
 	public static SelfEditingConfiguration getBean(ServletContext ctx) {
-		Object attr = ctx.getAttribute(BEAN_ATTRIBUTE);
-		if (attr instanceof SelfEditingConfiguration) {
-			log.debug("Found a bean: " + attr);
-			return (SelfEditingConfiguration) attr;
-		}
-
-		SelfEditingConfiguration bean = buildBean(ctx);
-		log.debug("Created a bean: " + bean);
-		ctx.setAttribute(BEAN_ATTRIBUTE, bean);
-		return bean;
+		return getInstance();
 	}
 
-	private static SelfEditingConfiguration buildBean(ServletContext ctx) {
-		ConfigurationProperties config = ConfigurationProperties.getBean(ctx);
+	private static SelfEditingConfiguration buildBean() {
+		ConfigurationProperties config = ConfigurationProperties.getInstance();
 		String selfEditingIdMatchingProperty = config
 				.getProperty(PROPERTY_SELF_EDITING_ID_MATCHING_PROPERTY);
 		return new SelfEditingConfiguration(selfEditingIdMatchingProperty);
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/config/ConfigurationProperties.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/config/ConfigurationProperties.java
index ee27feef38..e8e6f950a8 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/config/ConfigurationProperties.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/config/ConfigurationProperties.java
@@ -9,7 +9,6 @@
 import javax.servlet.ServletContextEvent;
 import javax.servlet.ServletRequest;
 import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
 
 import org.apache.commons.logging.Log;
@@ -26,98 +25,69 @@
 public abstract class ConfigurationProperties {
 	private static final Log log = LogFactory
 			.getLog(ConfigurationProperties.class);
-
-	/** The bean is attached to the session by this name. */
-	private static final String ATTRIBUTE_NAME = ConfigurationProperties.class
-			.getName();
-
+	
 	/** If they ask for a bean before one has been set, they get this. */
 	private static final ConfigurationProperties DUMMY_PROPERTIES = new DummyConfigurationProperties();
 
+    private static ConfigurationProperties INSTANCE = DUMMY_PROPERTIES;
+
+    public static ConfigurationProperties getInstance() {
+        if (INSTANCE == DUMMY_PROPERTIES) {
+            log.error("ConfigurationProperties bean has not been set.");
+        }
+        return INSTANCE;
+    }
+
+    public static void setInstance(ConfigurationProperties props) {
+        INSTANCE = props;
+    }
 	// ----------------------------------------------------------------------
 	// static methods
 	// ----------------------------------------------------------------------
 
+    @Deprecated
 	public static ConfigurationProperties getBean(ServletRequest request) {
-		if (request == null) {
-			throw new NullPointerException("request may not be null.");
-		}
-		if (!(request instanceof HttpServletRequest)) {
-			throw new IllegalArgumentException(
-					"request must be an HttpServletRequest");
-		}
-		HttpServletRequest httpRequest = (HttpServletRequest) request;
-		return getBean(httpRequest.getSession());
-	}
+        return getInstance();
 
-	public static ConfigurationProperties getBean(HttpSession session) {
-		if (session == null) {
-			throw new NullPointerException("session may not be null.");
-		}
-		return getBean(session.getServletContext());
 	}
+    @Deprecated
+	public static ConfigurationProperties getBean(HttpSession session) {
+        return getInstance();
 
-	public static ConfigurationProperties getBean(HttpServlet servlet) {
-		if (servlet == null) {
-			throw new NullPointerException("servlet may not be null.");
-		}
-		return getBean(servlet.getServletContext());
 	}
+    @Deprecated
+	public static ConfigurationProperties getBean(HttpServlet servlet) {
+        return getInstance();
 
-	public static ConfigurationProperties getBean(ServletContextEvent sce) {
-		if (sce == null) {
-			throw new NullPointerException("sce may not be null.");
-		}
-		return getBean(sce.getServletContext());
 	}
+    @Deprecated
+	public static ConfigurationProperties getBean(ServletContextEvent sce) {
+        return getInstance();
 
-	public static ConfigurationProperties getBean(ServletConfig servletConfig) {
-		if (servletConfig == null) {
-			throw new NullPointerException("servletConfig may not be null.");
-		}
-		return getBean(servletConfig.getServletContext());
 	}
+    @Deprecated
+	public static ConfigurationProperties getBean(ServletConfig servletConfig) {
+        return getInstance();
 
+	}
+    @Deprecated
 	public static ConfigurationProperties getBean(ServletContext context) {
-		if (context == null) {
-			throw new NullPointerException("context may not be null.");
-		}
-
-		Object o = context.getAttribute(ATTRIBUTE_NAME);
-		if (o == null) {
-			log.error("ConfigurationProperties bean has not been set.");
-			return DUMMY_PROPERTIES;
-		} else if (!(o instanceof ConfigurationProperties)) {
-			log.error("Error: ConfigurationProperties was set to an "
-					+ "invalid object: " + o);
-			return DUMMY_PROPERTIES;
-		}
-
-		return (ConfigurationProperties) o;
+		return getInstance();
 	}
 
 	/**
 	 * Protected access, so the Stub class can call it for unit tests.
 	 * Otherwise, this should only be called by ConfigurationPropertiesSetup.
 	 */
-	protected static void setBean(ServletContext context,
-			ConfigurationProperties bean) {
-		if (context == null) {
-			throw new NullPointerException("context may not be null.");
-		}
-		if (bean == null) {
-			throw new NullPointerException("bean may not be null.");
-		}
-		context.setAttribute(ATTRIBUTE_NAME, bean);
-		log.debug(bean);
+    @Deprecated
+	protected static void setBean(ConfigurationProperties bean) {
+	    setInstance(bean);
 	}
 
+    @Deprecated
 	/** Package access, so unit tests can call it. */
 	static void removeBean(ServletContext context) {
-		if (context == null) {
-			throw new NullPointerException("context may not be null.");
-		}
-		context.removeAttribute(ATTRIBUTE_NAME);
+	    INSTANCE = DUMMY_PROPERTIES;
 	}
 
 	// ----------------------------------------------------------------------
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/config/ConfigurationPropertiesSetup.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/config/ConfigurationPropertiesSetup.java
index 54d0ac90d0..8f420cf244 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/config/ConfigurationPropertiesSetup.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/config/ConfigurationPropertiesSetup.java
@@ -82,7 +82,7 @@ public void contextInitialized(ServletContextEvent sce) {
 				ConfigurationPropertiesImpl bean = new ConfigurationPropertiesImpl(
 						stream, preempts, new BuildProperties(ctx).getMap());
 
-				ConfigurationProperties.setBean(ctx, bean);
+				ConfigurationProperties.setBean(bean);
 				ss.info(this, "Loaded " + bean.getPropertyMap().size()
 						+ " properties.");
 			} finally {
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/IndividualListRdfController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/IndividualListRdfController.java
index 06ce8c50e4..5f99497d95 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/IndividualListRdfController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/IndividualListRdfController.java
@@ -23,9 +23,10 @@
 import org.apache.jena.rdf.model.Model;
 import org.apache.jena.rdf.model.ModelFactory;
 
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.publish.PublishObjectPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
 import edu.cornell.mannlib.vitro.webapp.controller.api.VitroApiServlet;
 import edu.cornell.mannlib.vitro.webapp.controller.api.sparqlquery.InvalidQueryTypeException;
@@ -96,10 +97,10 @@ private RdfResultMediaType parseAcceptHeader(HttpServletRequest req)
 	private boolean isVclassRestricted(String vclassUri, HttpServletRequest req) {
 		ObjectProperty property = new ObjectProperty();
 		property.setURI(RDF_TYPE);
-		RequestedAction dops = new PublishObjectPropertyStatement(ModelAccess
-				.on(req).getOntModel(FULL_ASSERTIONS), RequestedAction.SOME_URI, property,
+		AccessObject dops = new ObjectPropertyStatementAccessObject(ModelAccess
+				.on(req).getOntModel(FULL_ASSERTIONS), AccessObject.SOME_URI, property,
 				vclassUri);
-		return !PolicyHelper.isAuthorizedForActions(req, dops);
+		return !PolicyHelper.isAuthorizedForActions(req, dops, AccessOperation.PUBLISH);
 	}
 
 	private void sendEmptyModel(RdfResultMediaType mediaType,
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/SparqlQueryBuilderServlet.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/SparqlQueryBuilderServlet.java
index 2879af9dd0..f5e761ae96 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/SparqlQueryBuilderServlet.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/SparqlQueryBuilderServlet.java
@@ -11,6 +11,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.utils.JSPPageHandler;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -20,7 +21,6 @@
 import org.apache.jena.sparql.resultset.ResultsFormat;
 
 import edu.cornell.mannlib.vedit.controller.BaseEditController;
-import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 
 /**
  *  This servlet works as a RequestDispatcher to direct to the sparl query builder page.
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/VitroHttpServlet.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/VitroHttpServlet.java
index 0d0c3453e4..90205db49d 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/VitroHttpServlet.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/VitroHttpServlet.java
@@ -2,8 +2,6 @@
 
 package edu.cornell.mannlib.vitro.webapp.controller;
 
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest.AUTHORIZED;
-
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
@@ -12,7 +10,6 @@
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Collections;
 import java.util.Comparator;
 import java.util.Enumeration;
 import java.util.List;
@@ -120,7 +117,7 @@ protected void doPost(HttpServletRequest request,
 	protected boolean isAuthorizedToDisplayPage(HttpServletRequest request,
 			HttpServletResponse response, AuthorizationRequest actions) {
 		// Record restricted pages so we won't return to them on logout
-		if (actions != AUTHORIZED) {
+		if (actions != AuthorizationRequest.AUTHORIZED) {
 			LogoutRedirector.recordRestrictedPageUri(request);
 		}
 
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsDeleter.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsDeleter.java
index 70d52bead2..9fbe7001a6 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsDeleter.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsDeleter.java
@@ -12,8 +12,9 @@
 import org.apache.commons.logging.LogFactory;
 
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.RootAccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.ManageRootAccount;
 import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.controller.accounts.UserAccountsPage;
@@ -75,7 +76,7 @@ private void validateInputUris() {
 
 			if (u.isRootUser()
 					&& (!PolicyHelper.isAuthorizedForActions(vreq,
-							new ManageRootAccount()))) {
+							new RootAccessObject(), AccessOperation.DROP))) {
 				log.warn("Attempting to delete the root account, "
 						+ "but not authorized. Logged in as "
 						+ LoginStatusBean.getCurrentUser(vreq));
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsEditPage.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsEditPage.java
index 13e1ab0dd4..e93f211519 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsEditPage.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsEditPage.java
@@ -15,8 +15,9 @@
 import org.apache.commons.logging.LogFactory;
 
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.RootAccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.ManageRootAccount;
 import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.beans.SelfEditingConfiguration;
 import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
@@ -122,7 +123,7 @@ private void validateUserAccountInfo() {
 		}
 		if (userAccount.isRootUser()) {
 			if (!PolicyHelper.isAuthorizedForActions(vreq,
-					new ManageRootAccount())) {
+					new RootAccessObject(), AccessOperation.EDIT)) {
 				log.warn("User is attempting to edit the root account, "
 						+ "but is not authorized to do so. Logged in as: "
 						+ LoginStatusBean.getCurrentUser(vreq));
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsListPage.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsListPage.java
index f02e17b8e4..1347e1eb55 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsListPage.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsListPage.java
@@ -19,8 +19,9 @@
 import org.apache.commons.logging.LogFactory;
 
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.RootAccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.ManageRootAccount;
 import edu.cornell.mannlib.vitro.webapp.beans.PermissionSet;
 import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.beans.UserAccount.Status;
@@ -198,7 +199,7 @@ private boolean permittedToEdit(UserAccount account) {
 		if (!account.isRootUser()) {
 			return true;
 		}
-		if (PolicyHelper.isAuthorizedForActions(vreq, new ManageRootAccount())) {
+		if (PolicyHelper.isAuthorizedForActions(vreq, new RootAccessObject(), AccessOperation.EDIT)) {
 			return true;
 		}
 		return false;
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/manageproxies/ajax/ManageProxiesAjaxController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/manageproxies/ajax/ManageProxiesAjaxController.java
index 97d2e1ce2b..9c1296d1c3 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/manageproxies/ajax/ManageProxiesAjaxController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/manageproxies/ajax/ManageProxiesAjaxController.java
@@ -28,8 +28,9 @@ public class ManageProxiesAjaxController extends VitroAjaxController {
 
 	@Override
 	protected AuthorizationRequest requiredActions(VitroRequest vreq) {
-		return SimplePermission.MANAGE_OWN_PROXIES.ACTION
-				.or(SimplePermission.MANAGE_PROXIES.ACTION);
+		return AuthorizationRequest.or(
+		        SimplePermission.MANAGE_OWN_PROXIES.ACTION
+				,SimplePermission.MANAGE_PROXIES.ACTION);
 	}
 
 	@Override
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsUserController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsUserController.java
index 45be8f5531..9abe5f2698 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsUserController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsUserController.java
@@ -3,7 +3,6 @@
 package edu.cornell.mannlib.vitro.webapp.controller.accounts.user;
 
 import static edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource.EXTERNAL;
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest.AUTHORIZED;
 
 import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.HttpServletRequest;
@@ -11,8 +10,8 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
-import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
+import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.beans.DisplayMessage;
 import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
@@ -44,7 +43,7 @@ protected AuthorizationRequest requiredActions(VitroRequest vreq) {
 		if (ACTION_MY_ACCOUNT.equals(action)) {
 			return SimplePermission.EDIT_OWN_ACCOUNT.ACTION;
 		} else {
-			return AUTHORIZED;
+			return AuthorizationRequest.AUTHORIZED;
 		}
 	}
 
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/admin/ShowAuthController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/admin/ShowAuthController.java
index b3ee6af2d4..a9e3b0e5f2 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/admin/ShowAuthController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/admin/ShowAuthController.java
@@ -2,9 +2,8 @@
 
 package edu.cornell.mannlib.vitro.webapp.controller.admin;
 
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest.AUTHORIZED;
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_PREDICATE;
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_URI;
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_PREDICATE;
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_URI;
 
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -12,20 +11,20 @@
 import java.util.Map;
 import java.util.TreeMap;
 
-import javax.servlet.ServletContext;
 import javax.servlet.annotation.WebServlet;
 
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.RequestIdentifiers;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasAssociatedIndividual;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyStore;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditObjectPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.config.ConfigurationProperties;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.controller.authenticate.Authenticator;
@@ -42,7 +41,7 @@ public class ShowAuthController extends FreemarkerHttpServlet {
 
 	@Override
 	protected AuthorizationRequest requiredActions(VitroRequest vreq) {
-		return AUTHORIZED;
+		return AuthorizationRequest.AUTHORIZED;
 	}
 
 	@Override
@@ -53,8 +52,8 @@ protected ResponseValues processRequest(VitroRequest vreq) {
 		body.put("identifiers", getSortedIdentifiers(vreq));
 		body.put("currentUser", LoginStatusBean.getCurrentUser(vreq));
 		body.put("associatedIndividuals", getAssociatedIndividuals(vreq));
-		body.put("factories", getIdentifierFactoryNames(vreq));
-		body.put("policies", ServletPolicyList.getPolicies(vreq));
+		body.put("factories", ActiveIdentifierBundleFactories.getFactoryNames());
+		body.put("policies", PolicyStore.getInstance().getShortUris());
 		body.put("matchingProperty", getMatchingProperty(vreq));
 		body.put("authenticator", Authenticator.getInstance(vreq));
 
@@ -69,11 +68,6 @@ private List<Identifier> getSortedIdentifiers(VitroRequest vreq) {
 		return new ArrayList<Identifier>(idMap.values());
 	}
 
-	private List<String> getIdentifierFactoryNames(VitroRequest vreq) {
-		ServletContext ctx = vreq.getSession().getServletContext();
-		return ActiveIdentifierBundleFactories.getFactoryNames(ctx);
-	}
-
 	private String getMatchingProperty(VitroRequest vreq) {
 		return ConfigurationProperties.getBean(vreq).getProperty(
 				"selfEditing.idMatchingProperty", "");
@@ -94,10 +88,10 @@ private List<AssociatedIndividual> getAssociatedIndividuals(
 	 * this individual?
 	 */
 	private boolean mayEditIndividual(VitroRequest vreq, String individualUri) {
-		RequestedAction action = new EditObjectPropertyStatement(
+		AccessObject action = new ObjectPropertyStatementAccessObject(
 				vreq.getJenaOntModel(), individualUri,
 				SOME_PREDICATE, SOME_URI);
-		return PolicyHelper.isAuthorizedForActions(vreq, action);
+		return PolicyHelper.isAuthorizedForActions(vreq, action, AccessOperation.EDIT);
 	}
 
 	public class AssociatedIndividual {
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/admin/ShowSourcesController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/admin/ShowSourcesController.java
index c0d5e3fc3a..bf235be28c 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/admin/ShowSourcesController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/admin/ShowSourcesController.java
@@ -2,7 +2,6 @@
 
 package edu.cornell.mannlib.vitro.webapp.controller.admin;
 
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest.AUTHORIZED;
 import static edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess.LanguageOption.LANGUAGE_NEUTRAL;
 import static edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess.WhichService.CONFIGURATION;
 import static edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess.WhichService.CONTENT;
@@ -112,7 +111,7 @@ public class ShowSourcesController extends FreemarkerHttpServlet {
 
 	@Override
 	protected AuthorizationRequest requiredActions(VitroRequest vreq) {
-		return AUTHORIZED;
+		return AuthorizationRequest.AUTHORIZED;
 	}
 
 	@Override
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/ajax/VitroAjaxController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/ajax/VitroAjaxController.java
index 51a68e602a..3c0daf4e76 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/ajax/VitroAjaxController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/ajax/VitroAjaxController.java
@@ -2,8 +2,6 @@
 
 package edu.cornell.mannlib.vitro.webapp.controller.ajax;
 
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest.AUTHORIZED;
-
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.util.Map;
@@ -68,7 +66,7 @@ protected final void doPost(HttpServletRequest req, HttpServletResponse resp)
      */
     @SuppressWarnings("unused")
 	protected AuthorizationRequest requiredActions(VitroRequest vreq) {
-		return AUTHORIZED;
+		return AuthorizationRequest.AUTHORIZED;
 	}
 
 	/**
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/api/VitroApiServlet.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/api/VitroApiServlet.java
index 47bcdfd21a..52951a8a92 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/api/VitroApiServlet.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/api/VitroApiServlet.java
@@ -41,7 +41,7 @@ public class VitroApiServlet extends HttpServlet {
 	 * them for this action, throw an AuthException.
 	 */
 	protected void confirmAuthorization(HttpServletRequest req,
-			AuthorizationRequest requiredActions) throws AuthException {
+	        AuthorizationRequest requiredActions) throws AuthException {
 		String email = req.getParameter("email");
 		String password = req.getParameter("password");
 
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AdminLoginController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AdminLoginController.java
index 36a7601b23..da13d5867e 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AdminLoginController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AdminLoginController.java
@@ -3,7 +3,6 @@
 package edu.cornell.mannlib.vitro.webapp.controller.authenticate;
 
 import static edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource.INTERNAL;
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest.AUTHORIZED;
 import static edu.cornell.mannlib.vitro.webapp.beans.UserAccount.MAX_PASSWORD_LENGTH;
 import static edu.cornell.mannlib.vitro.webapp.beans.UserAccount.MIN_PASSWORD_LENGTH;
 
@@ -58,7 +57,7 @@ public class AdminLoginController extends FreemarkerHttpServlet {
 
 	@Override
 	protected AuthorizationRequest requiredActions(VitroRequest vreq) {
-		return AUTHORIZED; // No requirements to use this page.
+		return AuthorizationRequest.AUTHORIZED; // No requirements to use this page.
 	}
 
 	@Override
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java
index e8bbec5167..ec1230313b 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java
@@ -266,10 +266,8 @@ public static boolean isValidEmailAddress(String emailAddress) {
 	 * Get the IDs that would be created for this userAccount, if this user were
 	 * to log in.
 	 */
-	public static IdentifierBundle getIdsForUserAccount(HttpServletRequest req,
-			UserAccount userAccount) {
-		return ActiveIdentifierBundleFactories.getUserIdentifierBundle(req,
-				userAccount);
+	public static IdentifierBundle getIdsForUserAccount(UserAccount userAccount) {
+		return ActiveIdentifierBundleFactories.getUserIdentifierBundle(userAccount);
 	}
 
 	// ----------------------------------------------------------------------
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java
index 34fc6a01d6..19795a9fcc 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java
@@ -2,14 +2,10 @@
 
 package edu.cornell.mannlib.vitro.webapp.controller.authenticate;
 
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.List;
-import java.util.Map;
-
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
 
+import edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionSets;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
@@ -18,7 +14,6 @@
 import edu.cornell.mannlib.vitro.webapp.application.ApplicationUtils;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.RequestIdentifiers;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.IsRootUser;
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
 import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.beans.SelfEditingConfiguration;
 import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
@@ -33,6 +28,12 @@
 import edu.cornell.mannlib.vitro.webapp.modules.searchEngine.SearchEngine;
 import edu.cornell.mannlib.vitro.webapp.modules.searchEngine.SearchEngineException;
 
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
 /**
  * The "standard" implementation of Authenticator.
  */
@@ -228,17 +229,20 @@ private void createLoginStatusBean(String userUri,
 	/**
 	 * Editors and other privileged users get a longer timeout interval.
 	 */
-	private void setSessionTimeoutLimit(UserAccount userAccount,
-			HttpSession session) {
-		RoleLevel role = RoleLevel.getRoleFromLoginStatus(request);
-		if (role == RoleLevel.EDITOR || role == RoleLevel.CURATOR
-				|| role == RoleLevel.DB_ADMIN) {
-			session.setMaxInactiveInterval(PRIVILEGED_TIMEOUT_INTERVAL);
-		} else if (userAccount.isRootUser()) {
-			session.setMaxInactiveInterval(PRIVILEGED_TIMEOUT_INTERVAL);
+	private void setSessionTimeoutLimit(UserAccount userAccount, HttpSession session) {
+		int interval = LOGGED_IN_TIMEOUT_INTERVAL;
+		if (userAccount.isRootUser()) {
+			interval = PRIVILEGED_TIMEOUT_INTERVAL;
 		} else {
-			session.setMaxInactiveInterval(LOGGED_IN_TIMEOUT_INTERVAL);
+			Set<String> permissions = userAccount.getPermissionSetUris();
+			for (String uri : permissions) {
+				if (!uri.equals(PermissionSets.URI_SELF_EDITOR)) {
+					interval = PRIVILEGED_TIMEOUT_INTERVAL;
+				}
+			}
 		}
+
+		session.setMaxInactiveInterval(interval);
 	}
 
 	/**
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginRedirector.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginRedirector.java
index 65b8a2310f..ca4ba5056e 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginRedirector.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginRedirector.java
@@ -74,15 +74,17 @@ public String getRedirectionUriForLoggedInUser() {
 			return getAssociatedIndividualHomePage();
 		}
 
-		if (!canSeeSiteAdminPage()) {
-			log.debug("User not recognized. Going to application home.");
-			return getApplicationHomePageUrl();
-		}
+		if (null != afterLoginPage) {
+			if (isLoginPage(afterLoginPage)) {
+				if (canSeeSiteAdminPage()) {
+					log.debug("Coming from /login. Going to site admin page.");
+					return getSiteAdminPageUrl();
+				} else {
+					log.debug("User not recognized. Going to application home.");
+					return getApplicationHomePageUrl();
+				}
+			}
 
-		if (isLoginPage(afterLoginPage)) {
-			log.debug("Coming from /login. Going to site admin page.");
-			return getSiteAdminPageUrl();
-		} else if (null != afterLoginPage) {
 			log.debug("Returning to requested page: " + afterLoginPage);
 			return afterLoginPage;
 		} else {
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/RestrictedAuthenticator.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/RestrictedAuthenticator.java
index bb4fb6322f..783acd1405 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/RestrictedAuthenticator.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/RestrictedAuthenticator.java
@@ -11,7 +11,6 @@
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.RequestIdentifiers;
 import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
 import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 
 /**
@@ -49,12 +48,10 @@ public boolean isUserPermittedToLogin(UserAccount userAccount) {
 		}
 
 		ArrayIdentifierBundle ids = new ArrayIdentifierBundle();
-		ids.addAll(getIdsForUserAccount(req, userAccount));
+		ids.addAll(getIdsForUserAccount(userAccount));
 		ids.addAll(RequestIdentifiers.getIdBundleForRequest(req));
 
-		return PolicyHelper.isAuthorizedForActions(ids,
-				ServletPolicyList.getPolicies(req),
-				SimplePermission.LOGIN_DURING_MAINTENANCE.ACTION);
+		return PolicyHelper.isAuthorizedForActions(ids, SimplePermission.LOGIN_DURING_MAINTENANCE.ACTION);
 	}
 
 	@Override
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/datatools/dumprestore/DumpRestoreController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/datatools/dumprestore/DumpRestoreController.java
index 77f22b3755..0f5e427854 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/datatools/dumprestore/DumpRestoreController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/datatools/dumprestore/DumpRestoreController.java
@@ -15,7 +15,7 @@
 
 import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.FreemarkerHttpServlet;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.UrlBuilder;
@@ -37,7 +37,7 @@
 @WebServlet(name = "DumpRestoreController", urlPatterns = {"/dumpRestore/*"} )
 public class DumpRestoreController extends FreemarkerHttpServlet {
 
-	private static final RequestedAction REQUIRED_ACTION = SimplePermission.USE_ADVANCED_DATA_TOOLS_PAGES.ACTION;
+	private static final AuthorizationRequest REQUIRED_ACTION = SimplePermission.USE_ADVANCED_DATA_TOOLS_PAGES.ACTION;
 
 	static final String ACTION_DUMP = "/dump";
 	static final String ACTION_RESTORE = "/restore";
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatapropEditController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatapropEditController.java
index 4028c0aec3..9e1d36b43d 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatapropEditController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatapropEditController.java
@@ -43,7 +43,7 @@ public void doPost (HttpServletRequest request, HttpServletResponse response) {
 
     	VitroRequest vreq = new VitroRequest(request);
 
-        final int NUM_COLS=19;
+        final int NUM_COLS=15;
 
         String datapropURI = request.getParameter("uri");
 
@@ -69,14 +69,10 @@ public void doPost (HttpServletRequest request, HttpServletResponse response) {
         results.add("public description");    // column 9
         results.add("example");               // column 10
         results.add("editor description");    // column 11
-        results.add("display level");         // column 12
-        results.add("update level");          // column 13
-        results.add("display tier");          // column 14
-        results.add("display limit");         // column 15
-        results.add("custom entry form");     // column 16
-        results.add("editing");               // column 17
-        results.add("URI");                   // column 18
-        results.add("publish level");         // column 19
+        results.add("display tier");          // column 12
+        results.add("display limit");         // column 13
+        results.add("custom entry form");     // column 14
+        results.add("URI");                   // column 15
 
         results.add(dp.getPickListName()); // column 1
         results.add(dp.getPublicName() == null ? "(no public label)" : dp.getPublicName()); // column 2
@@ -137,17 +133,10 @@ public void doPost (HttpServletRequest request, HttpServletResponse response) {
         String descriptionStr = (dp.getDescription() == null) ? "" : dp.getDescription();  // column 11
         results.add(descriptionStr);
 
-		results.add(dp.getHiddenFromDisplayBelowRoleLevel() == null ? "(unspecified)"
-				: dp.getHiddenFromDisplayBelowRoleLevel().getDisplayLabel()); // column 12
-		results.add(dp.getProhibitedFromUpdateBelowRoleLevel() == null ? "(unspecified)"
-				: dp.getProhibitedFromUpdateBelowRoleLevel().getUpdateLabel()); // column 13
-        results.add(String.valueOf(dp.getDisplayTier()));  // column 14
-        results.add(String.valueOf(dp.getDisplayLimit()));  // column 15
-        results.add(dp.getCustomEntryForm() == null ? "(unspecified)" : dp.getCustomEntryForm());  // column 16
-        results.add(dp.getEditing() == null ? "" : dp.getEditing()); // column 17
-        results.add(dp.getURI() == null ? "" : dp.getURI()); // column 18
-		results.add(dp.getHiddenFromPublishBelowRoleLevel() == null ? "(unspecified)"
-				: dp.getHiddenFromPublishBelowRoleLevel().getDisplayLabel()); // column 19
+        results.add(String.valueOf(dp.getDisplayTier()));  // column 12
+        results.add(String.valueOf(dp.getDisplayLimit()));  // column 13
+        results.add(dp.getCustomEntryForm() == null ? "(unspecified)" : dp.getCustomEntryForm());  // column 14
+        results.add(dp.getURI() == null ? "" : dp.getURI()); // column 15
         request.setAttribute("results",results);
         request.setAttribute("columncount",NUM_COLS);
         request.setAttribute("suppressquery","true");
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatapropRetryController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatapropRetryController.java
index 70d47a80a7..7153ddaf9f 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatapropRetryController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatapropRetryController.java
@@ -25,12 +25,12 @@
 import edu.cornell.mannlib.vedit.util.FormUtils;
 import edu.cornell.mannlib.vedit.validator.impl.IntValidator;
 import edu.cornell.mannlib.vedit.validator.impl.XMLNameValidator;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
 import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionListener;
 import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.VClass;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
-import edu.cornell.mannlib.vitro.webapp.controller.edit.utils.RoleLevelOptionsSetup;
 import edu.cornell.mannlib.vitro.webapp.dao.DataPropertyDao;
 import edu.cornell.mannlib.vitro.webapp.dao.DatatypeDao;
 import edu.cornell.mannlib.vitro.webapp.dao.OntologyDao;
@@ -165,23 +165,6 @@ public void doPost (HttpServletRequest request, HttpServletResponse response) {
         groupOptList.add(0,new Option("","none"));
         optionMap.put("GroupURI", groupOptList);
 
-        optionMap.put("HiddenFromDisplayBelowRoleLevelUsingRoleUri",RoleLevelOptionsSetup.getDisplayOptionsList(objectForEditing));
-        optionMap.put("ProhibitedFromUpdateBelowRoleLevelUsingRoleUri",RoleLevelOptionsSetup.getUpdateOptionsList(objectForEditing));
-        optionMap.put("HiddenFromPublishBelowRoleLevelUsingRoleUri",RoleLevelOptionsSetup.getPublishOptionsList(objectForEditing));
-
-        // Set the value of the editing parameter (as defined in VitroVocabulary.java). 
-        // Use value to control form types as in defaultDataPropertyForm.ftl
-        String editingVal = objectForEditing.getEditing();
-        List<Option> editingOptList = new ArrayList<Option>();
-        editingOptList.add(0,new Option("","plaintext"));
-        editingOptList.add(1,new Option("HTML","rich text"));
-        for (Option val : editingOptList) {
-            if(editingVal != null && editingVal.equals(val.getValue())) {
-                val.setSelected(true);
-            }
-        }
-        optionMap.put("Editing", editingOptList);
-
         foo.setOptionLists(optionMap);
 
         request.setAttribute("functional",objectForEditing.getFunctional());
@@ -199,6 +182,8 @@ public void doPost (HttpServletRequest request, HttpServletResponse response) {
         request.setAttribute("title","Data Property Editing Form");
         request.setAttribute("_action",action);
         request.setAttribute("unqualifiedClassName","DatatypeProperty");
+
+        addAccessAttributes(request, objectForEditing.getURI(), AccessObjectType.DATA_PROPERTY);
         setRequestAttributes(request,epo);
 
         try {
@@ -206,7 +191,7 @@ public void doPost (HttpServletRequest request, HttpServletResponse response) {
         } catch (Exception e) {
             log.error("DatatypeRetryController could not forward to view.");
             log.error(e.getMessage());
-            log.error(e.getStackTrace());
+            log.error(e, e);
         }
 
     }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatatypeRetryController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatatypeRetryController.java
index 852ebcf60b..ce8fac8c9b 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatatypeRetryController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatatypeRetryController.java
@@ -97,10 +97,9 @@ public void doPost (HttpServletRequest req, HttpServletResponse response) {
         try {
             JSPPageHandler.renderBasicPage(request, response, "/templates/edit/formBasic.jsp");
         } catch (Exception e) {
-            log.error("VclassRetryContro" +
-                    "ller could not forward to view.");
+            log.error("VclassRetryController could not forward to view.");
             log.error(e.getMessage());
-            log.error(e.getStackTrace());
+            log.error(e, e);
         }
 
     }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/EntityEditController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/EntityEditController.java
index 87735d417c..d2738b0211 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/EntityEditController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/EntityEditController.java
@@ -74,14 +74,8 @@ public void doGet (HttpServletRequest request, HttpServletResponse response) {
         int colCount = 4;
         results.add("Name");
         results.add("class");
-        results.add("display level");
-        results.add("edit level");
         results.add("last updated");
-        colCount++;
         results.add("URI");
-        colCount++;
-        results.add("publish level");
-        colCount++;
 
         String rName = null;
         if (ent.getName() != null && ent.getName().length() > 0) {
@@ -117,16 +111,9 @@ public void doGet (HttpServletRequest request, HttpServletResponse response) {
         }
         results.add(classStr.toString());
 
-		results.add(ent.getHiddenFromDisplayBelowRoleLevel() == null ? "unspecified"
-				: ent.getHiddenFromDisplayBelowRoleLevel().getDisplayLabel());
-		results.add(ent.getProhibitedFromUpdateBelowRoleLevel() == null ? "unspecified"
-				: ent.getProhibitedFromUpdateBelowRoleLevel().getUpdateLabel());
-
         String rModTime = (ent.getModTime()==null) ? "" : publicDateFormat.format(ent.getModTime());
         results.add(rModTime);
         results.add( (ent.getURI() == null) ? "[anonymous individual]" : ent.getURI() );
-		results.add(ent.getHiddenFromPublishBelowRoleLevel() == null ? "unspecified"
-				: ent.getHiddenFromPublishBelowRoleLevel().getDisplayLabel());
         request.setAttribute("results",results);
         request.setAttribute("columncount", colCount);
         request.setAttribute("suppressquery","true");
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/EntityRetryController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/EntityRetryController.java
index a385f36bae..926545550d 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/EntityRetryController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/EntityRetryController.java
@@ -47,7 +47,6 @@
 import edu.cornell.mannlib.vitro.webapp.beans.VClassGroup;
 import edu.cornell.mannlib.vitro.webapp.controller.Controllers;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
-import edu.cornell.mannlib.vitro.webapp.controller.edit.utils.RoleLevelOptionsSetup;
 import edu.cornell.mannlib.vitro.webapp.dao.DataPropertyDao;
 import edu.cornell.mannlib.vitro.webapp.dao.IndividualDao;
 import edu.cornell.mannlib.vitro.webapp.dao.VClassDao;
@@ -173,10 +172,6 @@ public void doPost (HttpServletRequest request, HttpServletResponse response) {
 			hash.put("VClassURI", optList);
         }
 
-        hash.put("HiddenFromDisplayBelowRoleLevelUsingRoleUri",RoleLevelOptionsSetup.getDisplayOptionsList(individualForEditing));
-        hash.put("ProhibitedFromUpdateBelowRoleLevelUsingRoleUri",RoleLevelOptionsSetup.getUpdateOptionsList(individualForEditing));
-        hash.put("HiddenFromPublishBelowRoleLevelUsingRoleUri",RoleLevelOptionsSetup.getPublishOptionsList(individualForEditing));
-
         FormObject foo = new FormObject();
         foo.setOptionLists(hash);
 
@@ -308,7 +303,7 @@ public void doPost (HttpServletRequest request, HttpServletResponse response) {
         } catch (Exception e) {
             log.error("EntityRetryController could not forward to view.");
             log.error(e.getMessage());
-            log.error(e.getStackTrace());
+            log.error(e, e);
         }
 
     }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/FauxPropertyRetryController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/FauxPropertyRetryController.java
index 36cfbf6284..00dd403109 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/FauxPropertyRetryController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/FauxPropertyRetryController.java
@@ -30,6 +30,7 @@
 import edu.cornell.mannlib.vedit.util.FormUtils;
 import edu.cornell.mannlib.vedit.validator.Validator;
 import edu.cornell.mannlib.vedit.validator.impl.RequiredFieldValidator;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
 import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionListener;
 import edu.cornell.mannlib.vitro.webapp.beans.Datatype;
@@ -38,7 +39,6 @@
 import edu.cornell.mannlib.vitro.webapp.beans.Property;
 import edu.cornell.mannlib.vitro.webapp.beans.PropertyGroup;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
-import edu.cornell.mannlib.vitro.webapp.controller.edit.utils.RoleLevelOptionsSetup;
 import edu.cornell.mannlib.vitro.webapp.dao.DataPropertyDao;
 import edu.cornell.mannlib.vitro.webapp.dao.FauxPropertyDao;
 import edu.cornell.mannlib.vitro.webapp.dao.ObjectPropertyDao;
@@ -72,6 +72,16 @@ public void doPost(HttpServletRequest req, HttpServletResponse response) {
 		req.setAttribute("scripts", "/templates/edit/formBasic.js");
 		req.setAttribute("title", "Faux Property Editing Form");
 		req.setAttribute("_action", epo.getAction());
+		AccessObjectType aot;
+		if (populator.isFauxDataProperty()) {
+		    aot = AccessObjectType.FAUX_DATA_PROPERTY;
+		} else {
+		    aot = AccessObjectType.FAUX_OBJECT_PROPERTY;
+		}
+		req.setAttribute("_faux_property_type", aot);
+
+		addAccessAttributes(req, populator.beanForEditing.getConfigUri(), aot);
+
 		setRequestAttributes(req, epo);
 
 		try {
@@ -79,7 +89,7 @@ public void doPost(HttpServletRequest req, HttpServletResponse response) {
 		} catch (Exception e) {
 			log.error("Could not forward to view.");
 			log.error(e.getMessage());
-			log.error(e.getStackTrace());
+			log.error(e, e);
 		}
 
 	}
@@ -105,7 +115,11 @@ private static class EpoPopulator {
 		
 		private boolean isFauxDataProperty = false;
 
-		EpoPopulator(HttpServletRequest req, EditProcessObject epo) {
+		public boolean isFauxDataProperty() {
+            return isFauxDataProperty;
+        }
+
+        EpoPopulator(HttpServletRequest req, EditProcessObject epo) {
 			this.req = new VitroRequest(req);
 			this.ctx = req.getSession().getServletContext();
 			this.wadf = ModelAccess.on(req).getWebappDaoFactory(POLICY_NEUTRAL);
@@ -195,12 +209,6 @@ private FauxProperty newFauxProperty(String baseUri) {
 			fp.setGroupURI(base.getGroupURI());
 			fp.setRangeURI(base.getRangeVClassURI());
 			fp.setDomainURI(base.getDomainVClassURI());
-			fp.setHiddenFromDisplayBelowRoleLevel(base
-					.getHiddenFromDisplayBelowRoleLevel());
-			fp.setHiddenFromPublishBelowRoleLevel(base
-					.getHiddenFromPublishBelowRoleLevel());
-			fp.setProhibitedFromUpdateBelowRoleLevel(base
-					.getProhibitedFromUpdateBelowRoleLevel());
 			fp.setCustomEntryForm(base.getCustomEntryForm());
 			log.debug("Created new FauxProperty: " + fp);
 			return fp;
@@ -257,12 +265,7 @@ private Map<String, List<Option>> createOptionsMap() {
 			map.put("GroupURI", createClassGroupOptionList());
 			map.put("DomainURI", buildDomainOptionList());
 			map.put("RangeURI", buildRangeOptionList());
-			map.put("HiddenFromDisplayBelowRoleLevelUsingRoleUri",
-					RoleLevelOptionsSetup.getDisplayOptionsList(beanForEditing));
-			map.put("ProhibitedFromUpdateBelowRoleLevelUsingRoleUri",
-					RoleLevelOptionsSetup.getUpdateOptionsList(beanForEditing));
-			map.put("HiddenFromPublishBelowRoleLevelUsingRoleUri",
-					RoleLevelOptionsSetup.getPublishOptionsList(beanForEditing));
+
 			return map;
 		}
 
@@ -414,5 +417,4 @@ public int compare(Option o1, Option o2) {
 		}
 
 	}
-
 }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/IndividualTypeRetryController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/IndividualTypeRetryController.java
index f6dbeed4cd..f9e2ddb000 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/IndividualTypeRetryController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/IndividualTypeRetryController.java
@@ -100,7 +100,7 @@ public void doGet (HttpServletRequest request, HttpServletResponse response) {
 	        } catch (Exception e) {
 	            log.error(this.getClass().getName()+" could not forward to view.");
 	            log.error(e.getMessage());
-	            log.error(e.getStackTrace());
+	            log.error(e, e);
 	        }
 
 	}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/NamespacePrefixRetryController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/NamespacePrefixRetryController.java
index 525fa7976d..29ab42a6c1 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/NamespacePrefixRetryController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/NamespacePrefixRetryController.java
@@ -5,13 +5,13 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.utils.JSPPageHandler;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 import edu.cornell.mannlib.vedit.beans.EditProcessObject;
 import edu.cornell.mannlib.vedit.controller.BaseEditController;
-import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 
 public class NamespacePrefixRetryController extends BaseEditController {
 
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/PropertyEditController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/PropertyEditController.java
index 52e271291f..e8e62490f8 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/PropertyEditController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/PropertyEditController.java
@@ -43,7 +43,7 @@ public void doPost (HttpServletRequest request, HttpServletResponse response) {
         	return;
         }
 
-        final int NUM_COLS=26;
+        final int NUM_COLS=23;
 
         VitroRequest vreq = new VitroRequest(request);
 
@@ -72,17 +72,14 @@ public void doPost (HttpServletRequest request, HttpServletResponse response) {
         results.add("public description");    // column 13
         results.add("example");               // column 14
         results.add("editor description");    // column 15
-        results.add("display level");         // column 16
-        results.add("update level");          // column 17
-        results.add("display tier");          // column 18
-        results.add("display limit");         // column 15
-        results.add("collate by subclass");   // column 19
-        results.add("custom entry form");     // column 20
-        results.add("select from existing");  // column 21
-        results.add("offer create new");      // column 22
-        results.add("sort direction");        // column 23
-        results.add("URI");                   // column 24
-        results.add("publish level");         // column 25
+        results.add("display tier");          // column 16
+        results.add("display limit");         // column 17
+        results.add("collate by subclass");   // column 18
+        results.add("custom entry form");     // column 19
+        results.add("select from existing");  // column 20
+        results.add("offer create new");      // column 21
+        results.add("sort direction");        // column 22
+        results.add("URI");                   // column 23
 
         results.add(p.getPickListName()); // column 1
 
@@ -170,25 +167,18 @@ public void doPost (HttpServletRequest request, HttpServletResponse response) {
         results.add(exampleStr);               // column 14
         String descriptionStr = (p.getDescription() == null) ? "" : p.getDescription();
         results.add(descriptionStr);           // column 15
+        
+        results.add("property: "+p.getDomainDisplayTier() + ", inverse: "+p.getRangeDisplayTier()); // column 16
+        results.add("property: "+p.getDomainDisplayLimitInteger() + ", inverse: "+p.getRangeDisplayLimit()); // column 17
+        results.add(p.getCollateBySubclass() ? "true" : "false"); // column 18
 
-		results.add(p.getHiddenFromDisplayBelowRoleLevel() == null ? "(unspecified)"
-				: p.getHiddenFromDisplayBelowRoleLevel().getDisplayLabel()); // column 16
-		results.add(p.getProhibitedFromUpdateBelowRoleLevel() == null ? "(unspecified)"
-				: p.getProhibitedFromUpdateBelowRoleLevel().getUpdateLabel()); // column 17
+        results.add(p.getCustomEntryForm() == null ? "(unspecified)" : p.getCustomEntryForm()); // column 19
+        results.add(p.getSelectFromExisting() ? "true" : "false");   // column 20
+        results.add(p.getOfferCreateNewOption() ? "true" : "false"); // column 21
 
-        results.add("property: "+p.getDomainDisplayTier() + ", inverse: "+p.getRangeDisplayTier()); // column 18
-        results.add("property: "+p.getDomainDisplayLimitInteger() + ", inverse: "+p.getRangeDisplayLimit());
-        results.add(p.getCollateBySubclass() ? "true" : "false"); // column 19
+        results.add(p.getDomainEntitySortDirection() == null ? "ascending" : p.getDomainEntitySortDirection()); // column 22
 
-        results.add(p.getCustomEntryForm() == null ? "(unspecified)" : p.getCustomEntryForm()); // column 20
-        results.add(p.getSelectFromExisting() ? "true" : "false");   // column 21
-        results.add(p.getOfferCreateNewOption() ? "true" : "false"); // column 22
-
-        results.add(p.getDomainEntitySortDirection() == null ? "ascending" : p.getDomainEntitySortDirection()); // column 23
-
-        results.add(p.getURI()); // column 24
-		results.add(p.getHiddenFromPublishBelowRoleLevel() == null ? "(unspecified)"
-				: p.getHiddenFromPublishBelowRoleLevel().getDisplayLabel()); // column 25
+        results.add(p.getURI()); // column 23
         request.setAttribute("results",results);
         request.setAttribute("columncount",NUM_COLS);
         request.setAttribute("suppressquery","true");
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/PropertyRetryController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/PropertyRetryController.java
index 909ebeff98..a269a9c5f9 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/PropertyRetryController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/PropertyRetryController.java
@@ -27,11 +27,11 @@
 import edu.cornell.mannlib.vedit.validator.Validator;
 import edu.cornell.mannlib.vedit.validator.impl.IntValidator;
 import edu.cornell.mannlib.vedit.validator.impl.XMLNameValidator;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
 import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionListener;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
-import edu.cornell.mannlib.vitro.webapp.controller.edit.utils.RoleLevelOptionsSetup;
 import edu.cornell.mannlib.vitro.webapp.dao.ObjectPropertyDao;
 import edu.cornell.mannlib.vitro.webapp.dao.OntologyDao;
 import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess;
@@ -143,10 +143,6 @@ public void doPost (HttpServletRequest req, HttpServletResponse response) {
             throw new RuntimeException(e);
         }
 
-        optionMap.put("HiddenFromDisplayBelowRoleLevelUsingRoleUri",RoleLevelOptionsSetup.getDisplayOptionsList(propertyForEditing));
-        optionMap.put("ProhibitedFromUpdateBelowRoleLevelUsingRoleUri",RoleLevelOptionsSetup.getUpdateOptionsList(propertyForEditing));
-        optionMap.put("HiddenFromPublishBelowRoleLevelUsingRoleUri",RoleLevelOptionsSetup.getPublishOptionsList(propertyForEditing));
-
         List<Option> groupOptList = FormUtils.makeOptionListFromBeans(request.getUnfilteredWebappDaoFactory().getPropertyGroupDao().getPublicGroups(true),"URI","Name", ((propertyForEditing.getGroupURI()==null) ? "" : propertyForEditing.getGroupURI()), null, (propertyForEditing.getGroupURI()!=null));
         HashMap<String,Option> hashMap = new HashMap<String,Option>();
         groupOptList = getSortedList(hashMap,groupOptList,request);
@@ -186,6 +182,8 @@ public void doPost (HttpServletRequest req, HttpServletResponse response) {
         request.setAttribute("scripts","/templates/edit/formBasic.js");
         request.setAttribute("title","Property Editing Form");
         request.setAttribute("_action",action);
+
+        addAccessAttributes(request, propertyForEditing.getURI(), AccessObjectType.OBJECT_PROPERTY);
         setRequestAttributes(request,epo);
 
         try {
@@ -193,7 +191,7 @@ public void doPost (HttpServletRequest req, HttpServletResponse response) {
         } catch (Exception e) {
             log.error("PropertyRetryController could not forward to view.");
             log.error(e.getMessage());
-            log.error(e.getStackTrace());
+            log.error(e, e);
         }
 
     }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/VclassEditController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/VclassEditController.java
index a9b018670f..efdbc6fdff 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/VclassEditController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/VclassEditController.java
@@ -36,7 +36,7 @@
 public class VclassEditController extends BaseEditController {
 
 	private static final Log log = LogFactory.getLog(VclassEditController.class.getName());
-	private static final int NUM_COLS = 14;
+	private static final int NUM_COLS = 11;
 
     public void doPost (HttpServletRequest req, HttpServletResponse response) {
         if (!isAuthorizedToDisplayPage(req, response, SimplePermission.EDIT_ONTOLOGY.ACTION)) {
@@ -67,13 +67,10 @@ public void doPost (HttpServletRequest req, HttpServletResponse response) {
         results.add("short definition");     // 6
         results.add("example");              // 7
         results.add("editor description");   // 8
-        //results.add("curator comments");
-        results.add("display level");        // 9
-        results.add("update level");         // 10
-        results.add("display rank");         // 11
-        results.add("custom entry form");    // 12
-        results.add("URI");                  // 13
-        results.add("publish level");        // 14
+        //results.add("curator comments"); 
+        results.add("display rank");         // 9
+        results.add("custom entry form");    // 10
+        results.add("URI");                  // 11
 
         String ontologyName = null;
         if (vcl.getNamespace() != null) {
@@ -111,14 +108,6 @@ public void doPost (HttpServletRequest req, HttpServletResponse response) {
             commSb = new StringBuffer("no comments yet");
         }
 
-		String hiddenFromDisplay = (vcl.getHiddenFromDisplayBelowRoleLevel() == null ? "(unspecified)"
-				: vcl.getHiddenFromDisplayBelowRoleLevel().getDisplayLabel());
-		String ProhibitedFromUpdate = (vcl
-				.getProhibitedFromUpdateBelowRoleLevel() == null ? "(unspecified)"
-				: vcl.getProhibitedFromUpdateBelowRoleLevel().getUpdateLabel());
-		String hiddenFromPublish = (vcl.getHiddenFromPublishBelowRoleLevel() == null ? "(unspecified)"
-				: vcl.getHiddenFromPublishBelowRoleLevel().getDisplayLabel());
-
         String customEntryForm = (vcl.getCustomEntryForm() == null ? "(unspecified)" : vcl.getCustomEntryForm());
 
        //String lastModified = "<i>not implemented yet</i>"; // TODO
@@ -133,13 +122,10 @@ public void doPost (HttpServletRequest req, HttpServletResponse response) {
         results.add(shortDef);               // 6
         results.add(example);                // 7
         results.add(description);            // 8
-        //results.add(commSb.toString());    //
-        results.add(hiddenFromDisplay);      // 9
-        results.add(ProhibitedFromUpdate);   // 10
-        results.add(String.valueOf(vcl.getDisplayRank())); // 11
-        results.add(customEntryForm);        // 12
-        results.add(uri);                    // 13
-        results.add(hiddenFromPublish);      // 14
+        //results.add(commSb.toString());    // 
+        results.add(String.valueOf(vcl.getDisplayRank())); // 9
+        results.add(customEntryForm);        // 10
+        results.add(uri);                    // 11
         request.setAttribute("results", results);
         request.setAttribute("columncount", NUM_COLS);
         request.setAttribute("suppressquery", "true");
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/VclassRetryController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/VclassRetryController.java
index 326b4fb1db..0ba8117966 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/VclassRetryController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/VclassRetryController.java
@@ -26,11 +26,11 @@
 import edu.cornell.mannlib.vedit.listener.ChangeListener;
 import edu.cornell.mannlib.vedit.util.FormUtils;
 import edu.cornell.mannlib.vedit.validator.impl.XMLNameValidator;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
 import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.beans.Classes2Classes;
 import edu.cornell.mannlib.vitro.webapp.beans.VClass;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
-import edu.cornell.mannlib.vitro.webapp.controller.edit.utils.RoleLevelOptionsSetup;
 import edu.cornell.mannlib.vitro.webapp.dao.OntologyDao;
 import edu.cornell.mannlib.vitro.webapp.dao.VClassDao;
 import edu.cornell.mannlib.vitro.webapp.dao.VClassGroupDao;
@@ -145,10 +145,6 @@ public void doPost (HttpServletRequest req, HttpServletResponse response) {
             log.error(this.getClass().getName() + "unable to create Namespace option list");
         }
 
-        optionMap.put("HiddenFromDisplayBelowRoleLevelUsingRoleUri",RoleLevelOptionsSetup.getDisplayOptionsList(vclassForEditing));
-        optionMap.put("ProhibitedFromUpdateBelowRoleLevelUsingRoleUri",RoleLevelOptionsSetup.getUpdateOptionsList(vclassForEditing));
-        optionMap.put("HiddenFromPublishBelowRoleLevelUsingRoleUri",RoleLevelOptionsSetup.getPublishOptionsList(vclassForEditing));
-
         FormObject foo = new FormObject();
         foo.setErrorMap(epo.getErrMsgMap());
         foo.setOptionLists(optionMap);
@@ -165,6 +161,8 @@ public void doPost (HttpServletRequest req, HttpServletResponse response) {
         request.setAttribute("title","Class Editing Form");
         request.setAttribute("_action",action);
         request.setAttribute("unqualifiedClassName","VClass");
+
+        addAccessAttributes(request, vclassForEditing.getURI(), AccessObjectType.CLASS);
         setRequestAttributes(request,epo);
 
         try {
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/utils/RoleLevelOptionsSetup.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/utils/RoleLevelOptionsSetup.java
deleted file mode 100644
index c460e43eab..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/utils/RoleLevelOptionsSetup.java
+++ /dev/null
@@ -1,100 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.controller.edit.utils;
-
-import java.util.LinkedList;
-import java.util.List;
-
-import edu.cornell.mannlib.vedit.beans.Option;
-import edu.cornell.mannlib.vitro.webapp.beans.ResourceBean;
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-public class RoleLevelOptionsSetup {
-    private static final Log log = LogFactory.getLog(RoleLevelOptionsSetup.class.getName());
-
-    public static List<Option> getDisplayOptionsList(ResourceBean b) {
-        List<Option> hiddenFromDisplayList = new LinkedList<Option>();
-        try {
-            BaseResourceBean.RoleLevel currentLevel = b.getHiddenFromDisplayBelowRoleLevel();
-            BaseResourceBean.RoleLevel roles[] = BaseResourceBean.RoleLevel.values();
-            boolean someLevelSet=false;
-            Option publicOption = null;
-            for (BaseResourceBean.RoleLevel level : roles) {
-                Option option = new Option (level.getURI(),level.getDisplayLabel(),false);
-                if (level==BaseResourceBean.RoleLevel.PUBLIC) {
-                    publicOption = option;
-                }
-                if (level==currentLevel) {
-                    option.setSelected(true);
-                    someLevelSet=true;
-                }
-                hiddenFromDisplayList.add(option);
-            }
-            if (!someLevelSet) {
-                publicOption.setSelected(true);
-            }
-        } catch (Exception ex) {
-            log.error("cannot create HiddenFromDisplayBelowRoleLevel options");
-        }
-        return hiddenFromDisplayList;
-    }
-
-    public static List<Option> getUpdateOptionsList(ResourceBean b) {
-        List<Option> prohibitedFromUpdateList = new LinkedList<Option>();
-        try {
-            BaseResourceBean.RoleLevel currentLevel = b.getProhibitedFromUpdateBelowRoleLevel();
-            BaseResourceBean.RoleLevel roles[] = BaseResourceBean.RoleLevel.values();
-            boolean someLevelSet=false;
-            Option publicOption = null;
-            for (BaseResourceBean.RoleLevel level : roles) {
-                Option option = new Option (level.getURI(),level.getUpdateLabel(),false);
-                if (level==BaseResourceBean.RoleLevel.PUBLIC) {
-                    publicOption = option;
-                }
-                if (level==currentLevel) {
-                    option.setSelected(true);
-                    someLevelSet=true;
-                }
-                prohibitedFromUpdateList.add(option);
-            }
-            if (!someLevelSet) {
-                publicOption.setSelected(true);
-            }
-        } catch (Exception ex) {
-            log.error("cannot create ProhibitedFromUpdateBelowRoleLevel options");
-        }
-        return prohibitedFromUpdateList;
-    }
-
-    public static List<Option> getPublishOptionsList(ResourceBean b) {
-        List<Option> hiddenFromPublishList = new LinkedList<Option>();
-        try {
-            BaseResourceBean.RoleLevel currentLevel = b.getHiddenFromPublishBelowRoleLevel();
-            BaseResourceBean.RoleLevel roles[] = BaseResourceBean.RoleLevel.values();
-            boolean someLevelSet=false;
-            Option publicOption = null;
-            for (BaseResourceBean.RoleLevel level : roles) {
-                Option option = new Option (level.getURI(),level.getDisplayLabel(),false);
-                if (level==BaseResourceBean.RoleLevel.PUBLIC) {
-                    publicOption = option;
-                }
-                if (level==currentLevel) {
-                    option.setSelected(true);
-                    someLevelSet=true;
-                }
-                hiddenFromPublishList.add(option);
-            }
-            if (!someLevelSet) {
-                publicOption.setSelected(true);
-            }
-        } catch (Exception ex) {
-            log.error("cannot create HiddenFromPublishBelowRoleLevel options");
-        }
-        return hiddenFromPublishList;
-    }
-
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FileUploadController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FileUploadController.java
index 297e29dbf3..c45a8f6110 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FileUploadController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FileUploadController.java
@@ -1,6 +1,5 @@
 package edu.cornell.mannlib.vitro.webapp.controller.freemarker;
 
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest.UNAUTHORIZED;
 import static edu.cornell.mannlib.vitro.webapp.controller.freemarker.ImageUploadController.PARAMETER_UPLOADED_FILE;
 
 import java.io.IOException;
@@ -29,10 +28,11 @@
 import org.apache.tika.mime.MimeTypes;
 
 import edu.cornell.mannlib.vitro.webapp.application.ApplicationUtils;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropObjectPropertyStatement;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest;
 import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.beans.Property;
 import edu.cornell.mannlib.vitro.webapp.config.ConfigurationProperties;
@@ -84,23 +84,28 @@ public void init() throws ServletException {
 		setAllowedMediaTypes();
 	}
 
-	@Override
-	protected AuthorizationRequest requiredActions(VitroRequest vreq) {
-		RequestedAction ra;
-		try {
-			Property predicate = new Property(getPredicateUri(vreq));
-			final OntModel jenaOntModel = vreq.getJenaOntModel();
-			final String subject = getSubjectUri(vreq);
-			if (isUpload(vreq)) {
-				ra = new AddObjectPropertyStatement(jenaOntModel, subject, predicate,RequestedAction.SOME_URI);
-			} else { // delete
-				ra = new DropObjectPropertyStatement(jenaOntModel, subject, predicate, getFileUri(vreq));
-			}
-			return ra;
-		} catch (Exception e) {
-			return UNAUTHORIZED;
-		}
-	}
+    @Override
+    protected AuthorizationRequest requiredActions(VitroRequest vreq) {
+        AccessObject accessObject;
+        AccessOperation accessOperation;
+        try {
+            Property predicate = new Property(getPredicateUri(vreq));
+            final OntModel jenaOntModel = vreq.getJenaOntModel();
+            final String subject = getSubjectUri(vreq);
+            if (isUpload(vreq)) {
+                accessObject = new ObjectPropertyStatementAccessObject(jenaOntModel, subject, predicate,
+                        AccessObject.SOME_URI);
+                accessOperation = AccessOperation.ADD;
+            } else { // delete
+                accessObject =
+                        new ObjectPropertyStatementAccessObject(jenaOntModel, subject, predicate, getFileUri(vreq));
+                accessOperation = AccessOperation.DROP;
+            }
+            return new SimpleAuthorizationRequest(accessObject, accessOperation);
+        } catch (Exception e) {
+            return AuthorizationRequest.UNAUTHORIZED;
+        }
+    }
 
 	private String getFileUri(VitroRequest vreq) {
 		return vreq.getParameter(PARAMETER_FILE_URI);
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java
index cd416b931c..cd19d42232 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java
@@ -2,7 +2,6 @@
 
 package edu.cornell.mannlib.vitro.webapp.controller.freemarker;
 
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest.AUTHORIZED;
 import static javax.mail.Message.RecipientType.TO;
 
 import java.io.IOException;
@@ -21,7 +20,9 @@
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-
+import edu.cornell.mannlib.vitro.webapp.auth.checks.ProximityChecker;
+import edu.cornell.mannlib.vitro.webapp.auth.checks.QueryResultsMapCache;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
@@ -100,7 +101,7 @@ public void doGet( HttpServletRequest request, HttpServletResponse response )
         VitroRequest vreq = new VitroRequest(request);
         ResponseValues responseValues = null;
 
-    	try {
+    	try(QueryResultsMapCache personResourceCache = new QueryResultsMapCache()) {
 
             // This method does a redirect if the required authorizations are not met, so just return.
             if (!isAuthorizedToDisplayPage(request, response, requiredActions(vreq))) {
@@ -119,7 +120,7 @@ public void doGet( HttpServletRequest request, HttpServletResponse response )
                 }
     	    }
     	    handleException(vreq, response, e);
-    	}
+    	} 
     }
 
     /** In case of a processing error, display an error page. To an authorized user, the page displays
@@ -227,7 +228,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
      *
      */
     protected AuthorizationRequest requiredActions(VitroRequest vreq) {
-        return AUTHORIZED;
+        return AuthorizationRequest.AUTHORIZED;
     }
 
     // Subclasses will override
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/ImageUploadController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/ImageUploadController.java
index 326e4d3ed1..2af9bd0428 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/ImageUploadController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/ImageUploadController.java
@@ -2,8 +2,6 @@
 
 package edu.cornell.mannlib.vitro.webapp.controller.freemarker;
 
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest.UNAUTHORIZED;
-
 import javax.servlet.ServletException;
 import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.HttpServletRequest;
@@ -13,11 +11,11 @@
 import org.apache.commons.logging.LogFactory;
 
 import edu.cornell.mannlib.vitro.webapp.application.ApplicationUtils;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditObjectPropertyStatement;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest;
 import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.beans.Property;
 import edu.cornell.mannlib.vitro.webapp.config.ConfigurationProperties;
@@ -148,24 +146,28 @@ protected AuthorizationRequest requiredActions(VitroRequest vreq) {
 			Property indMainImage = new Property();
 			indMainImage.setURI(VitroVocabulary.IND_MAIN_IMAGE);
 
-			RequestedAction ra;
+			AccessObject ra;
+			AccessOperation ao;
 			if (ACTION_DELETE.equals(action)
 					|| ACTION_DELETE_EDIT.equals(action)) {
-				ra = new DropObjectPropertyStatement(vreq.getJenaOntModel(),
+			    ao = AccessOperation.DROP;
+				ra = new ObjectPropertyStatementAccessObject(vreq.getJenaOntModel(),
 						entity.getURI(), indMainImage,
 						imageUri);
 			} else if (imageUri != null) {
-				ra = new EditObjectPropertyStatement(vreq.getJenaOntModel(),
+			    ao = AccessOperation.EDIT;
+				ra = new ObjectPropertyStatementAccessObject(vreq.getJenaOntModel(),
 						entity.getURI(), indMainImage,
 						imageUri);
 			} else {
-				ra = new AddObjectPropertyStatement(vreq.getJenaOntModel(),
+			    ao = AccessOperation.ADD;
+				ra = new ObjectPropertyStatementAccessObject(vreq.getJenaOntModel(),
 						entity.getURI(), indMainImage,
-						RequestedAction.SOME_URI);
+						AccessObject.SOME_URI);
 			}
-			return ra;
+			return new SimpleAuthorizationRequest(ra, ao);
 		} catch (UserMistakeException e) {
-			return UNAUTHORIZED;
+			return AuthorizationRequest.UNAUTHORIZED;
 		}
 	}
 
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/ListVClassWebappsController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/ListVClassWebappsController.java
index 6c5b622bdd..061f947361 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/ListVClassWebappsController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/ListVClassWebappsController.java
@@ -4,7 +4,6 @@
 
 import java.net.URLEncoder;
 import java.util.HashMap;
-import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/PageController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/PageController.java
index 4d0a62cbc2..a5e2a99829 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/PageController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/PageController.java
@@ -3,9 +3,6 @@
 package edu.cornell.mannlib.vitro.webapp.controller.freemarker;
 
 
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest.AUTHORIZED;
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest.UNAUTHORIZED;
-
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -19,11 +16,13 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.NamedAccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleRequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequiresActions;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.ResponseValues;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.TemplateResponseValues;
@@ -57,11 +56,10 @@ public class PageController extends FreemarkerHttpServlet{
     @Override
     protected AuthorizationRequest requiredActions(VitroRequest vreq) {
         try {
-			return AUTHORIZED.and(getActionsForPage(vreq)).and(
-					getActionsForDataGetters(vreq));
+			return getActionsForPage(vreq);
         } catch (Exception e) {
             log.warn(e);
-            return UNAUTHORIZED;
+            return AuthorizationRequest.UNAUTHORIZED;
         }
     }
 
@@ -69,36 +67,16 @@ protected AuthorizationRequest requiredActions(VitroRequest vreq) {
      * Get all the required actions directly required for the page.
      */
     private AuthorizationRequest getActionsForPage( VitroRequest vreq ) throws Exception{
-        List<String> simplePremUris = vreq.getWebappDaoFactory().getPageDao()
-            .getRequiredActions( getPageUri(vreq) );
-
-        AuthorizationRequest auth = AUTHORIZED;
+        List<String> simplePremUris = vreq.getWebappDaoFactory().getPageDao().getRequiredActions( getPageUri(vreq) );
+        AuthorizationRequest auth = AuthorizationRequest.AUTHORIZED;
         for( String uri : simplePremUris ){
-            auth = auth.and( new SimpleRequestedAction(uri) );
-        }
-        return auth;
-    }
-
-    /**
-     * Get Actions object for the data getters for the page.
-     */
-    private AuthorizationRequest getActionsForDataGetters(VitroRequest vreq ){
-        try {
-            List<DataGetter> dgList =
-                DataGetterUtils.getDataGettersForPage(
-                    vreq, vreq.getDisplayModel(), getPageUri(vreq));
-
-            AuthorizationRequest auth = AUTHORIZED;
-            for( DataGetter dg : dgList){
-                if( dg instanceof RequiresActions ){
-                    auth = auth.and(((RequiresActions) dg).requiredActions(vreq));
-                }
+            if (StringUtils.isBlank(uri)) {
+                continue;
             }
-            return auth;
-        } catch (Exception e) {
-            log.debug(e);
-            return UNAUTHORIZED;
+            NamedAccessObject ao = new NamedAccessObject(uri, AccessObjectType.NAMED_OBJECT);
+            auth = auth.and( new SimpleAuthorizationRequest(ao, AccessOperation.EXECUTE));
         }
+        return auth;
     }
 
     @Override
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/responsevalues/NotAuthorizedResponseValues.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/responsevalues/NotAuthorizedResponseValues.java
index 0231da9fbf..4848363266 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/responsevalues/NotAuthorizedResponseValues.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/responsevalues/NotAuthorizedResponseValues.java
@@ -2,7 +2,8 @@
 
 package edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues;
 
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ForbiddenAuthorizationRequest;
 
 /**
  * This allows processRequest() in sub-classes of FreemarkerHttpServlet to
@@ -20,8 +21,8 @@ public NotAuthorizedResponseValues(String logMessage) {
 		this.logMessage = logMessage;
 	}
 
-	public RequestedAction getUnauthorizedAction() {
-		return new RequestedAction() {
+	public AuthorizationRequest getUnauthorizedAction() {
+		return new ForbiddenAuthorizationRequest() {
 			@Override
 			public String toString() {
 				return "Servlet not authorized: " + logMessage;
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/individual/IndividualRdfAssembler.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/individual/IndividualRdfAssembler.java
index 90e5608c2b..c4f578dab9 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/individual/IndividualRdfAssembler.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/individual/IndividualRdfAssembler.java
@@ -28,12 +28,14 @@
 import org.apache.jena.vocabulary.RDF;
 import org.apache.jena.vocabulary.RDFS;
 
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.publish.PublishDataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.publish.PublishObjectPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatementImpl;
+import edu.cornell.mannlib.vitro.webapp.beans.Property;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.RdfResponseValues;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.ResponseValues;
@@ -205,16 +207,19 @@ private void removeProhibitedTriples(OntModel o) {
 				String value = stmt.getObject().asLiteral().getString();
 				DataPropertyStatement dps = new DataPropertyStatementImpl(
 						subjectUri, predicateUri, value);
-				RequestedAction pdps = new PublishDataPropertyStatement(o, dps);
-				if (!PolicyHelper.isAuthorizedForActions(vreq, pdps)) {
+				AccessObject pdps = new DataPropertyStatementAccessObject(o, dps);
+				if (!PolicyHelper.isAuthorizedForActions(vreq, pdps, AccessOperation.PUBLISH)) {
 					log.debug("not authorized: " + pdps);
 					stmts.remove();
 				}
 			} else if (stmt.getObject().isURIResource()) {
 				String objectUri = stmt.getObject().asResource().getURI();
-				RequestedAction pops = new PublishObjectPropertyStatement(o,
-						subjectUri, predicateUri, objectUri);
-				if (!PolicyHelper.isAuthorizedForActions(vreq, pops)) {
+				 /** We don't need to know range and domain because publishing never involves faux properties. */
+				Property prop = new Property(predicateUri);
+				prop.setDomainVClassURI("?SOME_URI");
+				prop.setRangeVClassURI("?SOME_URI");
+				AccessObject pops = new ObjectPropertyStatementAccessObject(o, subjectUri, prop, objectUri);
+				if (!PolicyHelper.isAuthorizedForActions(vreq, pops, AccessOperation.PUBLISH)) {
 					log.debug("not authorized: " + pops);
 					stmts.remove();
 				}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/jena/JenaExportController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/jena/JenaExportController.java
index b6cfe8711b..7cfbdaf4e5 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/jena/JenaExportController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/jena/JenaExportController.java
@@ -44,8 +44,10 @@
 
 @WebServlet(name = "JenaExportController", urlPatterns = {"/export/*"} )
 public class JenaExportController extends BaseEditController {
-	private static final AuthorizationRequest REQUIRED_ACTIONS = SimplePermission.USE_ADVANCED_DATA_TOOLS_PAGES.ACTION
-			.or(SimplePermission.EDIT_ONTOLOGY.ACTION);
+	private static final AuthorizationRequest REQUIRED_ACTIONS = 
+	        AuthorizationRequest.or(
+	        SimplePermission.USE_ADVANCED_DATA_TOOLS_PAGES.ACTION,
+			SimplePermission.EDIT_ONTOLOGY.ACTION);
 
 
 	private static final Log log = LogFactory.getLog(JenaExportController.class);
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/json/JsonServlet.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/json/JsonServlet.java
index cdaa4191bf..7edb8dae0e 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/json/JsonServlet.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/json/JsonServlet.java
@@ -14,7 +14,7 @@
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-
+import edu.cornell.mannlib.vitro.webapp.auth.checks.QueryResultsMapCache;
 import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroHttpServlet;
@@ -50,34 +50,37 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws Se
         log.debug(LogUtils.formatRequestProperties(log, "debug", req));
 
         VitroRequest vreq = new VitroRequest(req);
-        if (vreq.getParameter("getEntitiesByVClass") != null) {
-            if( vreq.getParameter("resultKey") == null) {
-                new GetEntitiesByVClass(vreq).process(resp);
-            } else {
-            	new GetEntitiesByVClassContinuation(vreq).process(resp);
-            }
-        }else if( vreq.getParameter("getN3EditOptionList") != null ){
-        	throw new IllegalArgumentException("The call invoked deprecated classes " +
-        			"and the parameter for this call appeared nowhere in the code base, " +
-        			"so it was removed in May, 2012.");
-        }else if( vreq.getParameter("getSearchIndividualsByVClass") != null ){
-            new GetSearchIndividualsByVClass(vreq).process(resp);
-        }else if( vreq.getParameter("getVClassesForVClassGroup") != null ){
-            new GetVClassesForVClassGroup(vreq).process(resp);
-        } else if( vreq.getParameter("getSearchIndividualsByVClasses") != null ){
-        	log.debug("AJAX request to retrieve individuals by vclasses");
-        	new	GetSearchIndividualsByVClasses(vreq).process(resp);
-        } else if( vreq.getParameter("getDataForPage") != null ){
-            throw new IllegalArgumentException("The call invoked deprecated classes " +
-                    "and the parameter for this call appeared nowhere in the code base, " +
-                    "so it was removed in Aug 5th 2013.");
-        }else if( vreq.getParameter("getRenderedSearchIndividualsByVClass") != null ){
-            new GetRenderedSearchIndividualsByVClass(vreq).process(resp);
-        }else if( vreq.getParameter("getRandomSearchIndividualsByVClass") != null ){
-            new GetRandomSearchIndividualsByVClass(vreq).process(resp);
-        } else if( vreq.getParameter("getAllVClasses") != null ){
-            new GetAllVClasses(vreq).process(resp);
-        }
+    	try(QueryResultsMapCache personResourceCache = new QueryResultsMapCache()){
+	        if (vreq.getParameter("getEntitiesByVClass") != null) {
+	            if( vreq.getParameter("resultKey") == null) {
+	                new GetEntitiesByVClass(vreq).process(resp);
+	            } else {
+	            	new GetEntitiesByVClassContinuation(vreq).process(resp);
+	            }
+	        }else if( vreq.getParameter("getN3EditOptionList") != null ){
+	        	throw new IllegalArgumentException("The call invoked deprecated classes " +
+	        			"and the parameter for this call appeared nowhere in the code base, " +
+	        			"so it was removed in May, 2012.");
+	        }else if( vreq.getParameter("getSearchIndividualsByVClass") != null ){
+	            new GetSearchIndividualsByVClass(vreq).process(resp);
+	        }else if( vreq.getParameter("getVClassesForVClassGroup") != null ){
+	            new GetVClassesForVClassGroup(vreq).process(resp);
+	        } else if( vreq.getParameter("getSearchIndividualsByVClasses") != null ){
+	        	log.debug("AJAX request to retrieve individuals by vclasses");
+	        	new	GetSearchIndividualsByVClasses(vreq).process(resp);
+	        } else if( vreq.getParameter("getDataForPage") != null ){
+	            throw new IllegalArgumentException("The call invoked deprecated classes " +
+	                    "and the parameter for this call appeared nowhere in the code base, " +
+	                    "so it was removed in Aug 5th 2013.");
+	        }else if( vreq.getParameter("getRenderedSearchIndividualsByVClass") != null ){
+	        		new GetRenderedSearchIndividualsByVClass(vreq).process(resp);	
+	
+	        }else if( vreq.getParameter("getRandomSearchIndividualsByVClass") != null ){
+	            new GetRandomSearchIndividualsByVClass(vreq).process(resp);
+	        } else if( vreq.getParameter("getAllVClasses") != null ){
+	            new GetAllVClasses(vreq).process(resp);
+	        }
+    	}
 
     }
 
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/PropertyDao.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/PropertyDao.java
index f4cd92b5f7..a4c9c8993f 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/PropertyDao.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/PropertyDao.java
@@ -7,7 +7,6 @@
 
 import org.apache.jena.vocabulary.OWL;
 
-import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.RoleRestrictedProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.Property;
 import edu.cornell.mannlib.vitro.webapp.beans.VClass;
 
@@ -77,10 +76,6 @@ public FullPropertyKey(Property p) {
 			this(p.getDomainVClassURI(), p.getURI(), p.getRangeVClassURI());
 		}
 
-		public FullPropertyKey(RoleRestrictedProperty p) {
-			this(p.getDomainVClassURI(), p.getURI(), p.getRangeVClassURI());
-		}
-
 		public FullPropertyKey(String domainUri, String propertyUri,
 				String rangeUri) {
 			this.propertyUri = Objects.requireNonNull(propertyUri,
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/VitroVocabulary.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/VitroVocabulary.java
index a150b5b5ab..c762acfa83 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/VitroVocabulary.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/VitroVocabulary.java
@@ -52,20 +52,8 @@ public class VitroVocabulary {
     public static final String EXTERNALID = vitroURI+"externalId";
     public static final String DATAPROPERTY_ISEXTERNALID = vitroURI+"isExternalId";
 
-    public static final String HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT = vitroURI+"hiddenFromDisplayBelowRoleLevelAnnot";
-    public static final String PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT = vitroURI+"prohibitedFromUpdateBelowRoleLevelAnnot";
-	public static final String HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT = vitroURI+"hiddenFromPublishBelowRoleLevelAnnot";
-
     public static final String MOST_SPECIFIC_TYPE = vitroURI + "mostSpecificType";
 
-    // roles
-    public static final String PUBLIC = "http://vitro.mannlib.cornell.edu/ns/vitro/role#public";
-    public static final String SELF = "http://vitro.mannlib.cornell.edu/ns/vitro/role#selfEditor";
-    public static final String EDITOR = "http://vitro.mannlib.cornell.edu/ns/vitro/role#editor";
-    public static final String CURATOR = "http://vitro.mannlib.cornell.edu/ns/vitro/role#curator";
-    public static final String DB_ADMIN = "http://vitro.mannlib.cornell.edu/ns/vitro/role#dbAdmin";
-    public static final String NOBODY = "http://vitro.mannlib.cornell.edu/ns/vitro/role#nobody";
-
     public static final String SEARCH_BOOST_ANNOT = vitroURI + "searchBoostAnnot";
 
     public static final String DEPENDENT_RESORUCE = "http://vivoweb.org/ontology/core#DependentResource";
@@ -136,6 +124,11 @@ public class VitroVocabulary {
     // reusing displayRank property above
     public static final String PORTAL_URLPREFIX = vitroURI + "urlPrefix";
 
+    // =============== Vitro Access control vocabulary =================================
+    
+    public static final String AUTH_INDIVIDUAL_PREFIX = "https://vivoweb.org/ontology/vitro-application/auth/individual/";
+    public static final String AUTH_VOCABULARY_PREFIX = "https://vivoweb.org/ontology/vitro-application/auth/vocabulary/";
+    
     // =============== Vitro User vocabulary =================================
 
     // TODO JB This should go away when the new method of associating UserAccounts with Individuals is in place.
@@ -169,6 +162,8 @@ public class VitroVocabulary {
 
     public static final String PERMISSION = VITRO_AUTH + "Permission";
 
+    public static final String PERMISSION_FOR_ENTITY = VITRO_AUTH + "forEntity";
+
     // =============== model auditing vocabulary =============================
 
     public static final String STATEMENT_EVENT = vitroURI+"StatementEvent";
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/DataPropertyDaoFiltering.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/DataPropertyDaoFiltering.java
index 9028f3c933..e2198c0d30 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/DataPropertyDaoFiltering.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/DataPropertyDaoFiltering.java
@@ -2,7 +2,7 @@
 
 package edu.cornell.mannlib.vitro.webapp.dao.filtering;
 
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_LITERAL;
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_LITERAL;
 
 import java.util.ArrayList;
 import java.util.Collection;
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/DataPropertyFiltering.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/DataPropertyFiltering.java
index 74163e45f8..2dc718e21c 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/DataPropertyFiltering.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/DataPropertyFiltering.java
@@ -6,7 +6,6 @@
 import java.util.List;
 
 import net.sf.jga.algorithms.Filter;
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean;
 import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.dao.filtering.filters.VitroFilters;
@@ -91,21 +90,6 @@ public String getGroupURI() {
         return innerDataProperty.getGroupURI();
     }
 
-    @Override
-    public RoleLevel getHiddenFromDisplayBelowRoleLevel() {
-        return innerDataProperty.getHiddenFromDisplayBelowRoleLevel();
-    }
-
-    @Override
-    public RoleLevel getProhibitedFromUpdateBelowRoleLevel() {
-        return innerDataProperty.getProhibitedFromUpdateBelowRoleLevel();
-    }
-
-    @Override
-    public RoleLevel getHiddenFromPublishBelowRoleLevel() {
-        return innerDataProperty.getHiddenFromPublishBelowRoleLevel();
-    }
-
     @Override
     public String getLocalName() {
         return innerDataProperty.getLocalName();
@@ -181,36 +165,6 @@ public void setGroupURI(String in) {
         innerDataProperty.setGroupURI(in);
     }
 
-    @Override
-    public void setHiddenFromDisplayBelowRoleLevel(RoleLevel eR) {
-        innerDataProperty.setHiddenFromDisplayBelowRoleLevel(eR);
-    }
-
-    @Override
-    public void setHiddenFromDisplayBelowRoleLevelUsingRoleUri(String roleUri) {
-        innerDataProperty.setHiddenFromDisplayBelowRoleLevel(BaseResourceBean.RoleLevel.getRoleByUri(roleUri));
-    }
-
-    @Override
-    public void setProhibitedFromUpdateBelowRoleLevel(RoleLevel eR) {
-        innerDataProperty.setProhibitedFromUpdateBelowRoleLevel(eR);
-    }
-
-    @Override
-    public void setProhibitedFromUpdateBelowRoleLevelUsingRoleUri(String roleUri) {
-        innerDataProperty.setProhibitedFromUpdateBelowRoleLevel(BaseResourceBean.RoleLevel.getRoleByUri(roleUri));
-    }
-
-    @Override
-    public void setHiddenFromPublishBelowRoleLevel(RoleLevel eR) {
-        innerDataProperty.setHiddenFromPublishBelowRoleLevel(eR);
-    }
-
-    @Override
-    public void setHiddenFromPublishBelowRoleLevelUsingRoleUri(String roleUri) {
-        innerDataProperty.setHiddenFromPublishBelowRoleLevel(BaseResourceBean.RoleLevel.getRoleByUri(roleUri));
-    }
-
     @Override
     public void setLocalName(String localName) {
         innerDataProperty.setLocalName(localName);
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/IndividualFiltering.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/IndividualFiltering.java
index 474814878c..8048e67326 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/IndividualFiltering.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/IndividualFiltering.java
@@ -2,7 +2,7 @@
 
 package edu.cornell.mannlib.vitro.webapp.dao.filtering;
 
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_LITERAL;
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_LITERAL;
 
 import java.sql.Timestamp;
 import java.util.ArrayList;
@@ -19,15 +19,12 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean;
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
 import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatementImpl;
 import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.beans.ObjectPropertyStatementImpl;
 import edu.cornell.mannlib.vitro.webapp.beans.VClass;
 import edu.cornell.mannlib.vitro.webapp.dao.filtering.filters.VitroFilters;
 
@@ -84,13 +81,14 @@ public List<DataProperty> getPopulatedDataPropertyList() {
 		// the DataProperty with statements. - jblake
         List<DataProperty> outdProps = new ArrayList<DataProperty>();
         List<DataProperty> dprops = _innerIndividual.getPopulatedDataPropertyList();
-        if( dprops == null )
-            return outdProps;
-		for (DataProperty dp: dprops) {
-			if (_filters.getDataPropertyStatementFilter().fn(
-					new DataPropertyStatementImpl(this._innerIndividual.getURI(), dp.getURI(), SOME_LITERAL))) {
-				outdProps.add(dp);
-			}
+		/*
+		 * if( dprops == null ) return outdProps; for (DataProperty dp: dprops) { if
+		 * (_filters.getDataPropertyStatementFilter().fn( new
+		 * DataPropertyStatementImpl(this._innerIndividual.getURI(), dp.getURI(),
+		 * SOME_LITERAL))) { outdProps.add(dp); } }
+		 */
+        if (dprops != null) {
+        	outdProps.addAll(dprops);
         }
         return outdProps;
     }
@@ -427,51 +425,6 @@ public JsonNode toJSON() {
         return _innerIndividual.toJSON();
     }
 
-    @Override
-    public RoleLevel getHiddenFromDisplayBelowRoleLevel() {
-        return _innerIndividual.getHiddenFromDisplayBelowRoleLevel();
-    }
-
-    @Override
-    public void setHiddenFromDisplayBelowRoleLevel(RoleLevel eR) {
-        _innerIndividual.setHiddenFromDisplayBelowRoleLevel(eR);
-    }
-
-    @Override
-    public void setHiddenFromDisplayBelowRoleLevelUsingRoleUri(String roleUri) {
-        _innerIndividual.setHiddenFromDisplayBelowRoleLevel(BaseResourceBean.RoleLevel.getRoleByUri(roleUri));
-    }
-
-    @Override
-    public RoleLevel getProhibitedFromUpdateBelowRoleLevel() {
-        return _innerIndividual.getProhibitedFromUpdateBelowRoleLevel();
-    }
-
-    @Override
-    public void setProhibitedFromUpdateBelowRoleLevel(RoleLevel eR) {
-        _innerIndividual.setProhibitedFromUpdateBelowRoleLevel(eR);
-    }
-
-    @Override
-    public void setProhibitedFromUpdateBelowRoleLevelUsingRoleUri(String roleUri) {
-        _innerIndividual.setProhibitedFromUpdateBelowRoleLevel(BaseResourceBean.RoleLevel.getRoleByUri(roleUri));
-    }
-
-    @Override
-    public RoleLevel getHiddenFromPublishBelowRoleLevel() {
-        return _innerIndividual.getHiddenFromPublishBelowRoleLevel();
-    }
-
-    @Override
-    public void setHiddenFromPublishBelowRoleLevel(RoleLevel eR) {
-        _innerIndividual.setHiddenFromPublishBelowRoleLevel(eR);
-    }
-
-    @Override
-    public void setHiddenFromPublishBelowRoleLevelUsingRoleUri(String roleUri) {
-        _innerIndividual.setHiddenFromPublishBelowRoleLevel(BaseResourceBean.RoleLevel.getRoleByUri(roleUri));
-    }
-
     @Override
     public boolean isAnonymous() {
         return _innerIndividual.isAnonymous();
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/ObjectPropertyFiltering.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/ObjectPropertyFiltering.java
index 3f8f4c1cfd..02c74da18c 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/ObjectPropertyFiltering.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/ObjectPropertyFiltering.java
@@ -130,21 +130,6 @@ public String getGroupURI() {
         return innerObjectProperty.getGroupURI();
     }
 
-    @Override
-    public RoleLevel getHiddenFromDisplayBelowRoleLevel() {
-        return innerObjectProperty.getHiddenFromDisplayBelowRoleLevel();
-    }
-
-    @Override
-    public RoleLevel getProhibitedFromUpdateBelowRoleLevel() {
-        return innerObjectProperty.getProhibitedFromUpdateBelowRoleLevel();
-    }
-
-    @Override
-    public RoleLevel getHiddenFromPublishBelowRoleLevel() {
-        return innerObjectProperty.getHiddenFromPublishBelowRoleLevel();
-    }
-
     @Override
     public boolean getInverseFunctional() {
         return innerObjectProperty.getInverseFunctional();
@@ -353,36 +338,6 @@ public void setGroupURI(String in) {
         innerObjectProperty.setGroupURI(in);
     }
 
-    @Override
-    public void setHiddenFromDisplayBelowRoleLevel(RoleLevel eR) {
-        innerObjectProperty.setHiddenFromDisplayBelowRoleLevel(eR);
-    }
-
-    @Override
-    public void setHiddenFromDisplayBelowRoleLevelUsingRoleUri(String roleUri) {
-        innerObjectProperty.setHiddenFromDisplayBelowRoleLevel(BaseResourceBean.RoleLevel.getRoleByUri(roleUri));
-    }
-
-    @Override
-    public void setProhibitedFromUpdateBelowRoleLevel(RoleLevel eR) {
-        innerObjectProperty.setProhibitedFromUpdateBelowRoleLevel(eR);
-    }
-
-    @Override
-    public void setProhibitedFromUpdateBelowRoleLevelUsingRoleUri(String roleUri) {
-        innerObjectProperty.setProhibitedFromUpdateBelowRoleLevel(BaseResourceBean.RoleLevel.getRoleByUri(roleUri));
-    }
-
-    @Override
-    public void setHiddenFromPublishBelowRoleLevel(RoleLevel eR) {
-        innerObjectProperty.setHiddenFromPublishBelowRoleLevel(eR);
-    }
-
-    @Override
-    public void setHiddenFromPublishBelowRoleLevelUsingRoleUri(String roleUri) {
-        innerObjectProperty.setHiddenFromPublishBelowRoleLevel(BaseResourceBean.RoleLevel.getRoleByUri(roleUri));
-    }
-
     @Override
     public void setInverseFunctional(boolean inverseFunctional) {
         innerObjectProperty.setInverseFunctional(inverseFunctional);
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/FilterByDisplayPermission.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/FilterByDisplayPermission.java
new file mode 100644
index 0000000000..a4a18b6fd1
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/FilterByDisplayPermission.java
@@ -0,0 +1,98 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.dao.filtering.filters;
+
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_URI;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories;
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
+import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
+import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
+import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
+import edu.cornell.mannlib.vitro.webapp.beans.ObjectPropertyStatement;
+import net.sf.jga.fn.UnaryFunctor;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * Filter the properties depending on what DisplayByRolePermission is on the request. If no request, or no permission,
+ * use the Public permission.
+ */
+public class FilterByDisplayPermission extends VitroFiltersImpl {
+    private static final Log log = LogFactory.getLog(FilterByDisplayPermission.class);
+    IdentifierBundle accessSubject = ActiveIdentifierBundleFactories.getUserIdentifierBundle(null);
+
+    public FilterByDisplayPermission() {
+        setDataPropertyFilter(new DataPropertyFilterByPolicy());
+        setObjectPropertyFilter(new ObjectPropertyFilterByPolicy());
+        setDataPropertyStatementFilter(new DataPropertyStatementFilterByPolicy());
+        setObjectPropertyStatementFilter(new ObjectPropertyStatementFilterByPolicy());
+    }
+
+    boolean checkAuthorization(AccessObject accessObject) {
+        boolean decision = PolicyHelper.isAuthorizedForActions(accessSubject, accessObject, AccessOperation.DISPLAY);
+        log.debug("decision is " + decision);
+        return decision;
+    }
+
+    /**
+     * Private Classes
+     */
+
+    private class DataPropertyFilterByPolicy extends UnaryFunctor<DataProperty, Boolean> {
+        @Override
+        public Boolean fn(DataProperty dp) {
+            return checkAuthorization(new DataPropertyAccessObject(dp));
+        }
+    }
+
+    private class ObjectPropertyFilterByPolicy extends UnaryFunctor<ObjectProperty, Boolean> {
+        @Override
+        public Boolean fn(ObjectProperty op) {
+            return checkAuthorization(new ObjectPropertyAccessObject(op));
+        }
+    }
+
+    private class DataPropertyStatementFilterByPolicy extends UnaryFunctor<DataPropertyStatement, Boolean> {
+        @Override
+        public Boolean fn(DataPropertyStatement dps) {
+            //TODO: Model should be here to correctly check authorization
+            return checkAuthorization(new DataPropertyStatementAccessObject(null, dps));
+        }
+    }
+
+    private class ObjectPropertyStatementFilterByPolicy extends UnaryFunctor<ObjectPropertyStatement, Boolean> {
+        @Override
+        public Boolean fn(ObjectPropertyStatement ops) {
+            String subjectUri = ops.getSubjectURI();
+            ObjectProperty predicate = getOrCreateProperty(ops);
+            String objectUri = ops.getObjectURI();
+            return checkAuthorization(new ObjectPropertyStatementAccessObject(null, subjectUri, predicate, objectUri));
+        }
+
+        /**
+         * It would be nice if every ObjectPropertyStatement held a real ObjectProperty. If it doesn't, we do the next
+         * best thing, but it won't recognize any applicable Faux properties.
+         */
+        private ObjectProperty getOrCreateProperty(ObjectPropertyStatement ops) {
+            if (ops.getProperty() != null) {
+                return ops.getProperty();
+            }
+            if (ops.getPropertyURI() == null) {
+                return null;
+            }
+            ObjectProperty op = new ObjectProperty();
+            op.setURI(ops.getPropertyURI());
+            op.setDomainVClassURI(SOME_URI);
+            op.setRangeVClassURI(SOME_URI);
+            return op;
+        }
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/FilterByRoleLevelPermission.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/FilterByRoleLevelPermission.java
deleted file mode 100644
index 81234beb28..0000000000
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/FilterByRoleLevelPermission.java
+++ /dev/null
@@ -1,149 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.dao.filtering.filters;
-
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_URI;
-
-import javax.servlet.ServletContext;
-import javax.servlet.http.HttpServletRequest;
-
-import net.sf.jga.fn.UnaryFunctor;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.RequestIdentifiers;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasPermission;
-import edu.cornell.mannlib.vitro.webapp.auth.permissions.DisplayByRolePermission;
-import edu.cornell.mannlib.vitro.webapp.auth.permissions.Permission;
-import edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionRegistry;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataProperty;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectProperty;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
-import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
-import edu.cornell.mannlib.vitro.webapp.beans.ObjectPropertyStatement;
-
-/**
- * Filter the properties depending on what DisplayByRolePermission is on the
- * request. If no request, or no permission, use the Public permission.
- */
-public class FilterByRoleLevelPermission extends VitroFiltersImpl {
-	private static final Log log = LogFactory
-			.getLog(FilterByRoleLevelPermission.class);
-
-	private final Permission permission;
-
-	private static Permission getDefaultPermission(ServletContext ctx) {
-		if (ctx == null) {
-			throw new NullPointerException("context may not be null.");
-		}
-
-		return PermissionRegistry.getRegistry(ctx).getPermission(
-				DisplayByRolePermission.NAMESPACE + "Public");
-	}
-
-	private static Permission getPermissionFromRequest(HttpServletRequest req) {
-		if (req == null) {
-			throw new NullPointerException("request may not be null.");
-		}
-
-		IdentifierBundle ids = RequestIdentifiers.getIdBundleForRequest(req);
-		for (Permission p : HasPermission.getPermissions(ids)) {
-			if (p instanceof DisplayByRolePermission) {
-				return p;
-			}
-		}
-		return getDefaultPermission(req.getSession().getServletContext());
-	}
-
-	/** Get the DisplayByRolePermission from the request, or use Public. */
-	public FilterByRoleLevelPermission(HttpServletRequest req) {
-		this(getPermissionFromRequest(req));
-	}
-
-	/** Use the Public permission. */
-	public FilterByRoleLevelPermission(ServletContext ctx) {
-		this(getDefaultPermission(ctx));
-	}
-
-	/** Use the specified permission. */
-	public FilterByRoleLevelPermission(Permission permission) {
-		if (permission == null) {
-			throw new NullPointerException("permission may not be null.");
-		}
-
-		this.permission = permission;
-
-		setDataPropertyFilter(new DataPropertyFilterByPolicy());
-		setObjectPropertyFilter(new ObjectPropertyFilterByPolicy());
-		setDataPropertyStatementFilter(new DataPropertyStatementFilterByPolicy());
-		setObjectPropertyStatementFilter(new ObjectPropertyStatementFilterByPolicy());
-	}
-
-	boolean checkAuthorization(RequestedAction whatToAuth) {
-		boolean decision = permission.isAuthorized(whatToAuth);
-		log.debug("decision is " + decision);
-		return decision;
-	}
-
-	private class DataPropertyFilterByPolicy extends
-			UnaryFunctor<DataProperty, Boolean> {
-		@Override
-		public Boolean fn(DataProperty dp) {
-			return checkAuthorization(new DisplayDataProperty(dp));
-		}
-	}
-
-	private class ObjectPropertyFilterByPolicy extends
-			UnaryFunctor<ObjectProperty, Boolean> {
-		@Override
-		public Boolean fn(ObjectProperty op) {
-			return checkAuthorization(new DisplayObjectProperty(op));
-		}
-	}
-
-	private class DataPropertyStatementFilterByPolicy extends
-			UnaryFunctor<DataPropertyStatement, Boolean> {
-		@Override
-		public Boolean fn(DataPropertyStatement dps) {
-			return checkAuthorization(new DisplayDataPropertyStatement(dps));
-		}
-	}
-
-	private class ObjectPropertyStatementFilterByPolicy extends
-			UnaryFunctor<ObjectPropertyStatement, Boolean> {
-		@Override
-		public Boolean fn(ObjectPropertyStatement ops) {
-			String subjectUri = ops.getSubjectURI();
-			ObjectProperty predicate = getOrCreateProperty(ops);
-			String objectUri = ops.getObjectURI();
-			return checkAuthorization(new DisplayObjectPropertyStatement(
-					subjectUri, predicate, objectUri));
-		}
-
-		/**
-		 * It would be nice if every ObjectPropertyStatement held a real
-		 * ObjectProperty. If it doesn't, we do the next best thing, but it
-		 * won't recognize any applicable Faux properties.
-		 */
-		private ObjectProperty getOrCreateProperty(ObjectPropertyStatement ops) {
-			if (ops.getProperty() != null) {
-				return ops.getProperty();
-			}
-			if (ops.getPropertyURI() ==  null) {
-				return null;
-			}
-			ObjectProperty op = new ObjectProperty();
-			op.setURI(ops.getPropertyURI());
-			op.setDomainVClassURI(SOME_URI);
-			op.setRangeVClassURI(SOME_URI);
-			return op;
-		}
-	}
-
-}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/HideFromDisplayByPolicyFilter.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/HideFromDisplayByPolicyFilter.java
index ce12702fda..449919a48e 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/HideFromDisplayByPolicyFilter.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/HideFromDisplayByPolicyFilter.java
@@ -2,21 +2,21 @@
 
 package edu.cornell.mannlib.vitro.webapp.dao.filtering.filters;
 
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_URI;
 import net.sf.jga.fn.UnaryFunctor;
 
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_URI;
+
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataProperty;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectProperty;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectPropertyStatement;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
 import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
@@ -30,19 +30,12 @@ public class HideFromDisplayByPolicyFilter extends VitroFiltersImpl {
 			.getLog(HideFromDisplayByPolicyFilter.class);
 
 	private final IdentifierBundle idBundle;
-	private final PolicyIface policy;
 
-	public HideFromDisplayByPolicyFilter(IdentifierBundle idBundle,
-			PolicyIface policy) {
+	public HideFromDisplayByPolicyFilter(IdentifierBundle idBundle) {
 		if (idBundle == null) {
 			throw new NullPointerException("idBundle may not be null.");
 		}
-		if (policy == null) {
-			throw new NullPointerException("policy may not be null.");
-		}
-
 		this.idBundle = idBundle;
-		this.policy = policy;
 
 		setDataPropertyFilter(new DataPropertyFilterByPolicy());
 		setObjectPropertyFilter(new ObjectPropertyFilterByPolicy());
@@ -50,23 +43,15 @@ public HideFromDisplayByPolicyFilter(IdentifierBundle idBundle,
 		setObjectPropertyStatementFilter(new ObjectPropertyStatementFilterByPolicy());
 	}
 
-	boolean checkAuthorization(RequestedAction whatToAuth) {
-		PolicyDecision decision = policy.isAuthorized(idBundle, whatToAuth);
-		log.debug("decision is " + decision);
-
-		if (decision != null) {
-			if (decision.getAuthorized() == Authorization.AUTHORIZED) {
-				return true;
-			}
-		}
-		return false;
+	boolean checkAuthorization(AccessObject whatToAuth) {
+	    return PolicyHelper.isAuthorizedForActions(idBundle, whatToAuth, AccessOperation.DISPLAY);
 	}
 
 	private class DataPropertyFilterByPolicy extends
 			UnaryFunctor<DataProperty, Boolean> {
 		@Override
 		public Boolean fn(DataProperty dp) {
-			return checkAuthorization(new DisplayDataProperty(dp));
+			return checkAuthorization(new DataPropertyAccessObject(dp));
 		}
 	}
 
@@ -74,7 +59,7 @@ private class ObjectPropertyFilterByPolicy extends
 			UnaryFunctor<ObjectProperty, Boolean> {
 		@Override
 		public Boolean fn(ObjectProperty op) {
-			return checkAuthorization(new DisplayObjectProperty(op));
+			return checkAuthorization(new ObjectPropertyAccessObject(op));
 		}
 	}
 
@@ -82,7 +67,8 @@ private class DataPropertyStatementFilterByPolicy extends
 			UnaryFunctor<DataPropertyStatement, Boolean> {
 		@Override
 		public Boolean fn(DataPropertyStatement dps) {
-			return checkAuthorization(new DisplayDataPropertyStatement(dps));
+	        //TODO: Model should be here to correctly check authorization
+			return checkAuthorization(new DataPropertyStatementAccessObject(null, dps));
 		}
 	}
 
@@ -93,8 +79,8 @@ public Boolean fn(ObjectPropertyStatement ops) {
 			String subjectUri = ops.getSubjectURI();
 			ObjectProperty predicate = getOrCreateProperty(ops);
 			String objectUri = ops.getObjectURI();
-			return checkAuthorization(new DisplayObjectPropertyStatement(
-					subjectUri, predicate, objectUri));
+			return checkAuthorization(new ObjectPropertyStatementAccessObject(
+					null, subjectUri, predicate, objectUri));
 		}
 
 		/**
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFilterUtils.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFilterUtils.java
index cd5b0d1096..169a7e09b4 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFilterUtils.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFilterUtils.java
@@ -3,7 +3,6 @@
 package edu.cornell.mannlib.vitro.webapp.dao.filtering.filters;
 
 import java.text.Collator;
-import java.util.Collections;
 import java.util.Comparator;
 import java.util.List;
 
@@ -23,7 +22,7 @@ public class VitroFilterUtils {
 	 * public view.
 	 */
 	public static VitroFilters getPublicFilter(ServletContext ctx) {
-		return new FilterByRoleLevelPermission(ctx);
+		return new FilterByDisplayPermission();
 	}
 
     /** Gets a VitroFilters that permits all objects */
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/DataPropertyDaoJena.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/DataPropertyDaoJena.java
index 5c836281db..aeab5fb9ca 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/DataPropertyDaoJena.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/DataPropertyDaoJena.java
@@ -201,63 +201,6 @@ private DataProperty datapropFromOntProperty(OntProperty op) {
             dp.setDisplayTier((getWebappDaoFactory()).getJenaBaseDao().getPropertyNonNegativeIntValue(op, DISPLAY_RANK_ANNOT));
             dp.setDisplayLimit((getWebappDaoFactory()).getJenaBaseDao().getPropertyNonNegativeIntValue(op, DISPLAY_LIMIT));
 
-            //There might be multiple HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT properties, only use the highest
-            StmtIterator it = op.listProperties(HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT);
-            BaseResourceBean.RoleLevel hiddenRoleLevel = null;
-            while( it.hasNext() ){
-                Statement stmt = it.nextStatement();
-                RDFNode obj;
-                if( stmt != null && (obj = stmt.getObject()) != null && obj.isURIResource() ){
-                    Resource res = obj.as(Resource.class);
-                    if( res != null && res.getURI() != null ){
-                        BaseResourceBean.RoleLevel roleFromModel =  BaseResourceBean.RoleLevel.getRoleByUri(res.getURI());
-                        if( roleFromModel != null &&
-                            (hiddenRoleLevel == null || roleFromModel.compareTo(hiddenRoleLevel) > 0 )){
-                            hiddenRoleLevel = roleFromModel;
-                        }
-                    }
-                }
-            }
-            dp.setHiddenFromDisplayBelowRoleLevel(hiddenRoleLevel);//this might get set to null
-
-            //There might be multiple PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT properties, only use the highest
-            it = op.listProperties(PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT);
-            BaseResourceBean.RoleLevel prohibitedRoleLevel = null;
-            while( it.hasNext() ){
-                Statement stmt = it.nextStatement();
-                RDFNode obj;
-                if( stmt != null && (obj = stmt.getObject()) != null && obj.isURIResource() ){
-                    Resource res = obj.as(Resource.class);
-                    if( res != null && res.getURI() != null ){
-                        BaseResourceBean.RoleLevel roleFromModel =  BaseResourceBean.RoleLevel.getRoleByUri(res.getURI());
-                        if( roleFromModel != null &&
-                            (prohibitedRoleLevel == null || roleFromModel.compareTo(prohibitedRoleLevel) > 0 )){
-                            prohibitedRoleLevel = roleFromModel;
-                        }
-                    }
-                }
-            }
-            dp.setProhibitedFromUpdateBelowRoleLevel(prohibitedRoleLevel);//this might get set to null
-
-            //There might be multiple HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT properties, only use the highest
-            it = op.listProperties(HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT);
-            BaseResourceBean.RoleLevel publishRoleLevel = null;
-            while( it.hasNext() ){
-                Statement stmt = it.nextStatement();
-                RDFNode obj;
-                if( stmt != null && (obj = stmt.getObject()) != null && obj.isURIResource() ){
-                    Resource res = obj.as(Resource.class);
-                    if( res != null && res.getURI() != null ){
-                        BaseResourceBean.RoleLevel roleFromModel =  BaseResourceBean.RoleLevel.getRoleByUri(res.getURI());
-                        if( roleFromModel != null &&
-                            (publishRoleLevel == null || roleFromModel.compareTo(publishRoleLevel) > 0 )){
-                            publishRoleLevel = roleFromModel;
-                        }
-                    }
-                }
-            }
-            dp.setHiddenFromPublishBelowRoleLevel(publishRoleLevel);//this might get set to null
-
             dp.setCustomEntryForm(getPropertyStringValue(op,PROPERTY_CUSTOMENTRYFORMANNOT));
 
             dp.setExternalId( getOntModelSelector().getTBoxModel().contains(op, DATAPROPERTY_ISEXTERNALID, "TRUE") );
@@ -522,26 +465,6 @@ public String insertDataProperty(DataProperty dtp, OntModel ontModel) throws Ins
             addPropertyStringValue(jDataprop, EDITING, dtp.getEditing(), ontModel);
             addPropertyNonNegativeIntValue(jDataprop, DISPLAY_RANK_ANNOT, dtp.getDisplayTier(), ontModel);
             addPropertyNonNegativeIntValue(jDataprop, DISPLAY_LIMIT, dtp.getDisplayLimit(), ontModel);
-            //addPropertyStringValue(jDataprop, HIDDEN_ANNOT, dtp.getHidden(), ontModel);
-            jDataprop.removeAll(HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT);
-            if (HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT != null && dtp.getHiddenFromDisplayBelowRoleLevel() != null) { // only need to add if present
-                jDataprop.addProperty(HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT, ResourceFactory.createResource(dtp.getHiddenFromDisplayBelowRoleLevel().getURI()));
-            }
-            jDataprop.removeAll(PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT);
-            if (PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT != null && dtp.getProhibitedFromUpdateBelowRoleLevel() != null) { // only need to add if present
-                jDataprop.addProperty(PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT, ResourceFactory.createResource(dtp.getProhibitedFromUpdateBelowRoleLevel().getURI()));
-            }
-            jDataprop.removeAll(HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT);
-            if (HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT != null && dtp.getHiddenFromPublishBelowRoleLevel() != null) { // only need to add if present
-            	jDataprop.addProperty(HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT, ResourceFactory.createResource(dtp.getHiddenFromPublishBelowRoleLevel().getURI()));
-            }
-            /*
-            if (dtp.isSelfEditProhibited()) { // only add the property if it's true
-                addPropertyBooleanValue(jDataprop, PROPERTY_SELFEDITPROHIBITEDANNOT, dtp.isSelfEditProhibited(), ontModel);
-            }
-            if (dtp.isCuratorEditProhibited()) { // only add the property if it's true
-                addPropertyBooleanValue(jDataprop, PROPERTY_CURATOREDITPROHIBITEDANNOT, dtp.isCuratorEditProhibited(), ontModel);
-            } */
             try {
             	if (dtp.getGroupURI() != null && dtp.getGroupURI().length()>0) {
                 	String badURIErrorStr = checkURI(dtp.getGroupURI());
@@ -594,18 +517,6 @@ public void updateDataProperty(DataProperty dtp, OntModel ontModel) {
             updatePropertyNonNegativeIntValue(jDataprop, DISPLAY_RANK_ANNOT, dtp.getDisplayTier(), ontModel);
             updatePropertyNonNegativeIntValue(jDataprop, DISPLAY_LIMIT, dtp.getDisplayLimit(), ontModel);
 
-            if (dtp.getHiddenFromDisplayBelowRoleLevel() != null) {
-              updatePropertyResourceURIValue(jDataprop,HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT,dtp.getHiddenFromDisplayBelowRoleLevel().getURI(),ontModel);
-            }
-
-            if (dtp.getProhibitedFromUpdateBelowRoleLevel() != null) {
-                updatePropertyResourceURIValue(jDataprop,PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT,dtp.getProhibitedFromUpdateBelowRoleLevel().getURI(),ontModel);
-            }
-
-            if (dtp.getHiddenFromPublishBelowRoleLevel() != null) {
-            	updatePropertyResourceURIValue(jDataprop,HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT,dtp.getHiddenFromPublishBelowRoleLevel().getURI(),ontModel);
-            }
-
             if (dtp.getGroupURI() != null) {
                 updatePropertyResourceURIValue(jDataprop,PROPERTY_INPROPERTYGROUPANNOT,dtp.getGroupURI(),ontModel);
             }
@@ -709,7 +620,6 @@ public List<DataProperty> getRootDataProperties() {
         //"   ?property a owl:DatatypeProperty . \n" +
         "   FILTER ( \n" +
         "       isLiteral(?object) && \n" +
-        "       ( !regex(str(?property), \"^" + VitroVocabulary.PUBLIC + "\" )) && \n" +
         "       ( !regex(str(?property), \"^" + VitroVocabulary.OWL + "\" )) && \n" +
         // NIHVIVO-2790 vitro:moniker has been deprecated, but display existing values for editorial management (deletion is encouraged).
         // This property will be hidden from public display by default.
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/FauxPropertyDaoJena.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/FauxPropertyDaoJena.java
index da21bc32df..1300eddaa6 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/FauxPropertyDaoJena.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/FauxPropertyDaoJena.java
@@ -250,17 +250,6 @@ public void insertFauxProperty(FauxProperty fp) {
 					fp.getCustomEntryForm(), displayModel);
 			addPropertyStringValue(config, LIST_VIEW_FILE,
 					fp.getCustomListView(), displayModel);
-
-			updatePropertyResourceURIValue(config,
-					HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT, fp
-							.getHiddenFromDisplayBelowRoleLevel().getURI());
-			updatePropertyResourceURIValue(config,
-					HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT, fp
-							.getHiddenFromPublishBelowRoleLevel().getURI());
-			updatePropertyResourceURIValue(config,
-					PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT, fp
-							.getProhibitedFromUpdateBelowRoleLevel().getURI());
-
 		} catch (InsertException e) {
 			throw new RuntimeException(e);
 		}
@@ -350,16 +339,6 @@ public void updateFauxProperty(FauxProperty fp) {
 					fp.getCustomEntryForm(), displayModel);
 			updatePropertyStringValue(config, LIST_VIEW_FILE,
 					fp.getCustomListView(), displayModel);
-
-			updatePropertyResourceURIValue(config,
-					HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT, fp
-							.getHiddenFromDisplayBelowRoleLevel().getURI());
-			updatePropertyResourceURIValue(config,
-					HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT, fp
-							.getHiddenFromPublishBelowRoleLevel().getURI());
-			updatePropertyResourceURIValue(config,
-					PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT, fp
-							.getProhibitedFromUpdateBelowRoleLevel().getURI());
 		}
 	}
 
@@ -458,13 +437,6 @@ private void populateFieldsFromDisplayModel(FauxProperty fp) {
 								PROPERTY_OFFERCREATENEWOPTIONANNOT)));
 				fp.setCustomEntryForm(getPropertyStringValue(config,
 						PROPERTY_CUSTOMENTRYFORMANNOT));
-
-				fp.setHiddenFromDisplayBelowRoleLevel(getMostRestrictiveRoleLevel(
-						config, HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT));
-				fp.setHiddenFromPublishBelowRoleLevel(getMostRestrictiveRoleLevel(
-						config, HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT));
-				fp.setProhibitedFromUpdateBelowRoleLevel(getMostRestrictiveRoleLevel(
-						config, PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT));
 			}
 		}
 	}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaBaseDao.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaBaseDao.java
index 6ba1b1134b..b57d513e32 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaBaseDao.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaBaseDao.java
@@ -47,7 +47,6 @@
 import org.apache.jena.vocabulary.RDF;
 import org.apache.jena.vocabulary.RDFS;
 
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
 import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
 
 public class JenaBaseDao extends JenaBaseDaoCon {
@@ -576,20 +575,6 @@ protected Collection<String> getPropertyResourceURIValues(Resource res, ObjectPr
     	return list;
     }
 
-	protected RoleLevel getMostRestrictiveRoleLevel(Resource res, Property prop) {
-		RoleLevel level = RoleLevel.getRoleByUri(null);
-		for (Statement stmt : res.listProperties(prop).toList()) {
-			if (stmt.getObject().isURIResource()) {
-				RoleLevel roleFromModel = RoleLevel.getRoleByUri(stmt
-						.getObject().as(Resource.class).getURI());
-				if (roleFromModel.compareTo(level) > 0) {
-					level = roleFromModel;
-				}
-			}
-		}
-		return level;
-	}
-
     /**
      * convenience method for use with functional object properties
      */
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaBaseDaoCon.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaBaseDaoCon.java
index 71fd6447ae..7830a01140 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaBaseDaoCon.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaBaseDaoCon.java
@@ -41,10 +41,6 @@ public JenaBaseDaoCon() {
 
     protected AnnotationProperty DATAPROPERTY_ISEXTERNALID = _constModel.createAnnotationProperty(VitroVocabulary.DATAPROPERTY_ISEXTERNALID);
 
-    protected AnnotationProperty HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT = _constModel.createAnnotationProperty(VitroVocabulary.HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT);
-    protected AnnotationProperty PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT = _constModel.createAnnotationProperty(VitroVocabulary.PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT);
-    protected AnnotationProperty HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT = _constModel.createAnnotationProperty(VitroVocabulary.HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT);
-
     protected AnnotationProperty SEARCH_BOOST_ANNOT = _constModel.createAnnotationProperty(VitroVocabulary.SEARCH_BOOST_ANNOT);
 
     protected AnnotationProperty EXAMPLE = _constModel.createAnnotationProperty(VitroVocabulary.EXAMPLE_ANNOT);
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaModelUtils.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaModelUtils.java
index 1ffb21ae80..67fb0f52db 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaModelUtils.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaModelUtils.java
@@ -219,12 +219,6 @@ public OntModel extractTBox( Dataset dataset, String namespace, String graphURI,
                                                                   VitroVocabulary.IN_CLASSGROUP)));
             tboxModel.add(construct(dataset, namespace, graphURI, ResourceFactory.createResource(
                                                                   VitroVocabulary.PROPERTY_INPROPERTYGROUPANNOT)));
-            tboxModel.add(construct(dataset, namespace, graphURI, ResourceFactory.createResource(
-                                                                  VitroVocabulary.PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT)));
-            tboxModel.add(construct(dataset, namespace, graphURI, ResourceFactory.createResource(
-                                                                  VitroVocabulary.HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT)));
-            tboxModel.add(construct(dataset, namespace, graphURI, ResourceFactory.createResource(
-            		                                              VitroVocabulary.HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT)));
             tboxModel.add(construct(dataset, namespace, graphURI, ResourceFactory.createResource(
                                                                   VitroVocabulary.DESCRIPTION_ANNOT)));
             tboxModel.add(construct(dataset, namespace, graphURI, ResourceFactory.createResource(
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/ObjectPropertyDaoJena.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/ObjectPropertyDaoJena.java
index 9ae00d59e5..ebeff43657 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/ObjectPropertyDaoJena.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/ObjectPropertyDaoJena.java
@@ -43,7 +43,6 @@
 import org.apache.jena.vocabulary.RDF;
 import org.apache.jena.vocabulary.RDFS;
 
-import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.RoleRestrictedProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean;
 import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
@@ -164,63 +163,6 @@ protected ObjectProperty propertyFromOntProperty(OntProperty op) {
             p.setDomainEntitySortDirection(getPropertyStringValue(op,PROPERTY_ENTITYSORTDIRECTION));
             p.setRangeEntitySortDirection(getPropertyStringValue(invOp,PROPERTY_ENTITYSORTDIRECTION));
 
-            //There might be multiple HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT properties, only use the highest
-            StmtIterator it = op.listProperties(HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT);
-            BaseResourceBean.RoleLevel hiddenRoleLevel = null;
-            while( it.hasNext() ){
-                Statement stmt = it.nextStatement();
-                RDFNode obj;
-                if( stmt != null && (obj = stmt.getObject()) != null && obj.isURIResource() ){
-                    Resource res = obj.as(Resource.class);
-                    if( res != null && res.getURI() != null ){
-                        BaseResourceBean.RoleLevel roleFromModel =  BaseResourceBean.RoleLevel.getRoleByUri(res.getURI());
-                        if( roleFromModel != null &&
-                            (hiddenRoleLevel == null || roleFromModel.compareTo(hiddenRoleLevel) > 0 )){
-                            hiddenRoleLevel = roleFromModel;
-                        }
-                    }
-                }
-            }
-            p.setHiddenFromDisplayBelowRoleLevel(hiddenRoleLevel); //this might get set to null
-
-            //There might be multiple PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT properties, only use the highest
-            it = op.listProperties(PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT);
-            BaseResourceBean.RoleLevel prohibitedRoleLevel = null;
-            while( it.hasNext() ){
-                Statement stmt = it.nextStatement();
-                RDFNode obj;
-                if( stmt != null && (obj = stmt.getObject()) != null && obj.isURIResource() ){
-                    Resource res = obj.as(Resource.class);
-                    if( res != null && res.getURI() != null ){
-                        BaseResourceBean.RoleLevel roleFromModel =  BaseResourceBean.RoleLevel.getRoleByUri(res.getURI());
-                        if( roleFromModel != null &&
-                            (prohibitedRoleLevel == null || roleFromModel.compareTo(prohibitedRoleLevel) > 0 )){
-                            prohibitedRoleLevel = roleFromModel;
-                        }
-                    }
-                }
-            }
-            p.setProhibitedFromUpdateBelowRoleLevel(prohibitedRoleLevel); //this might get set to null
-
-            //There might be multiple HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT properties, only use the highest
-            it = op.listProperties(HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT);
-            BaseResourceBean.RoleLevel publishRoleLevel = null;
-            while( it.hasNext() ){
-                Statement stmt = it.nextStatement();
-                RDFNode obj;
-                if( stmt != null && (obj = stmt.getObject()) != null && obj.isURIResource() ){
-                    Resource res = obj.as(Resource.class);
-                    if( res != null && res.getURI() != null ){
-                        BaseResourceBean.RoleLevel roleFromModel =  BaseResourceBean.RoleLevel.getRoleByUri(res.getURI());
-                        if( roleFromModel != null &&
-                            (publishRoleLevel == null || roleFromModel.compareTo(publishRoleLevel) > 0 )){
-                            publishRoleLevel = roleFromModel;
-                        }
-                    }
-                }
-            }
-            p.setHiddenFromPublishBelowRoleLevel(publishRoleLevel); //this might get set to null
-
             p.setCustomEntryForm(getPropertyStringValue(op,PROPERTY_CUSTOMENTRYFORMANNOT));
             Boolean selectFromObj = getPropertyBooleanValue(op,PROPERTY_SELECTFROMEXISTINGANNOT);
             p.setSelectFromExisting(selectFromObj==null ? true : selectFromObj);
@@ -333,8 +275,8 @@ public ObjectProperty getObjectPropertyByURIs(String propertyURI,
         String propQuery = "PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#> \n" +
                 "PREFIX config: <http://vitro.mannlib.cornell.edu/ns/vitro/ApplicationConfiguration#> \n" +
                 "PREFIX vitro: <http://vitro.mannlib.cornell.edu/ns/vitro/0.7#> \n" +
-                "SELECT ?range ?rangeRoot ?label ?group ?customForm ?displayRank ?displayLevel " +
-                "    ?updateLevel ?publishLevel ?editLinkSuppressed ?addLinkSuppressed ?deleteLinkSuppressed \n" +
+                "SELECT ?range ?rangeRoot ?label ?group ?customForm ?displayRank " +
+                "    ?editLinkSuppressed ?addLinkSuppressed ?deleteLinkSuppressed \n" +
                 "    ?collateBySubclass ?displayLimit ?individualSortProperty \n" +
                 "    ?entitySortDirection ?selectFromExisting ?offerCreateNew \n" +
                 "    ?publicDescription ?stubDeletion \n" +
@@ -358,9 +300,6 @@ public ObjectProperty getObjectPropertyByURIs(String propertyURI,
                 "    OPTIONAL { ?configuration config:deleteLinkSuppressed ?deleteLinkSuppressed } \n" +
                 "    OPTIONAL { ?configuration vitro:displayRankAnnot ?displayRank } \n" +
                 "    OPTIONAL { ?configuration vitro:customEntryFormAnnot ?customForm } \n" +
-                "    OPTIONAL { ?configuration vitro:hiddenFromDisplayBelowRoleLevelAnnot ?displayLevel } \n" +
-                "    OPTIONAL { ?configuration vitro:prohibitedFromUpdateBelowRoleLevelAnnot ?updateLevel } \n" +
-                "    OPTIONAL { ?configuration vitro:hiddenFromPublishBelowRoleLevelAnnot ?publishLevel } \n" +
                 "    OPTIONAL { ?configuration <" + PROPERTY_COLLATEBYSUBCLASSANNOT.getURI() + "> ?collateBySubclass } \n" +
                 "    OPTIONAL { ?configuration <" + DISPLAY_LIMIT.getURI() + "> ?displayLimit } \n" +
                 "    OPTIONAL { ?configuration <" + PROPERTY_OBJECTINDIVIDUALSORTPROPERTY.getURI() + "> ?individualSortProperty } \n " +
@@ -400,24 +339,6 @@ public ObjectProperty getObjectPropertyByURIs(String propertyURI,
                     op.setDomainDisplayLimit(
                             Integer.parseInt(displayLimitLit.getLexicalForm()));
                 }
-                Resource displayLevelRes = qsoln.getResource("displayLevel");
-                if (displayLevelRes != null) {
-                    op.setHiddenFromDisplayBelowRoleLevel(
-                            BaseResourceBean.RoleLevel.getRoleByUri(
-                                    displayLevelRes.getURI()));
-                }
-                Resource updateLevelRes = qsoln.getResource("updateLevel");
-                if (updateLevelRes != null) {
-                    op.setProhibitedFromUpdateBelowRoleLevel(
-                            BaseResourceBean.RoleLevel.getRoleByUri(
-                                    updateLevelRes.getURI()));
-                }
-                Resource publishLevelRes = qsoln.getResource("publishLevel");
-                if (publishLevelRes != null) {
-                    op.setHiddenFromPublishBelowRoleLevel(
-                            BaseResourceBean.RoleLevel.getRoleByUri(
-                                    publishLevelRes.getURI()));
-                }
                 Literal labelLit = qsoln.getLiteral("label");
                 if (labelLit != null) {
                     op.setDomainPublic(labelLit.getLexicalForm());
@@ -753,18 +674,6 @@ private void doUpdate(ObjectProperty prop, OntProperty p, OntProperty inv, OntMo
         	}
         }
 
-        if (prop.getHiddenFromDisplayBelowRoleLevel() != null) {
-        	updatePropertyResourceURIValue(p, HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT, prop.getHiddenFromDisplayBelowRoleLevel().getURI());
-        }
-
-        if (prop.getProhibitedFromUpdateBelowRoleLevel() != null) {
-        	updatePropertyResourceURIValue(p, PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT, prop.getProhibitedFromUpdateBelowRoleLevel().getURI());
-        }
-
-        if (prop.getHiddenFromPublishBelowRoleLevel() != null) {
-        	updatePropertyResourceURIValue(p, HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT, prop.getHiddenFromPublishBelowRoleLevel().getURI());
-        }
-
         updatePropertyStringValue(p,PROPERTY_CUSTOMENTRYFORMANNOT,prop.getCustomEntryForm(),ontModel);
         updatePropertyBooleanValue(p,PROPERTY_SELECTFROMEXISTINGANNOT,prop.getSelectFromExisting(),ontModel,JenaBaseDao.KEEP_ONLY_IF_FALSE);
         updatePropertyBooleanValue(p,PROPERTY_OFFERCREATENEWOPTIONANNOT,prop.getOfferCreateNewOption(),ontModel,JenaBaseDao.KEEP_ONLY_IF_TRUE);
@@ -1133,7 +1042,7 @@ public String getCustomListViewConfigFileName(ObjectProperty op) {
             }
             qexec.close();
         }
-        FullPropertyKey key = new FullPropertyKey((RoleRestrictedProperty)op);
+        FullPropertyKey key = new FullPropertyKey(op);
 		String customListViewConfigFileName = customListViewConfigFileMap.get(key);
         if (customListViewConfigFileName == null) {
             log.debug("no list view found for " + key);
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/VClassDaoJena.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/VClassDaoJena.java
index 20b207d019..89406a4a40 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/VClassDaoJena.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/VClassDaoJena.java
@@ -966,33 +966,6 @@ public int insertNewVClass(VClass cls, OntModel ontModel) throws InsertException
             addPropertyIntValue(ontCls,DISPLAY_LIMIT,cls.getDisplayLimit(),ontModel);
             addPropertyIntValue(ontCls,DISPLAY_RANK_ANNOT,cls.getDisplayRank(),ontModel);
 
-            ontCls.removeAll(HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT);
-            if (HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT != null && cls.getHiddenFromDisplayBelowRoleLevel() != null) { // only need to add if present
-                try {
-                    ontCls.addProperty(HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT, ResourceFactory.createResource(cls.getHiddenFromDisplayBelowRoleLevel().getURI()));
-                } catch (Exception e) {
-                    log.error("error adding HiddenFromDisplayBelowRoleLevel annotation to class "+cls.getURI());
-                }
-            }
-
-            ontCls.removeAll(PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT);
-            if (PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT != null && cls.getProhibitedFromUpdateBelowRoleLevel() != null) { // only need to add if present
-                try {
-                    ontCls.addProperty(PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT, ResourceFactory.createResource(cls.getProhibitedFromUpdateBelowRoleLevel().getURI()));
-                } catch (Exception e) {
-                    log.error("error adding ProhibitedFromUpdateBelowRoleLevel annotation to class "+cls.getURI());
-                }
-            }
-
-            ontCls.removeAll(HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT);
-            if (HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT != null && cls.getHiddenFromPublishBelowRoleLevel() != null) { // only need to add if present
-                try {
-                    ontCls.addProperty(HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT, ResourceFactory.createResource(cls.getHiddenFromPublishBelowRoleLevel().getURI()));
-                } catch (Exception e) {
-                    log.error("error adding HiddenFromPublishBelowRoleLevel annotation to class "+cls.getURI());
-                }
-            }
-
             /* OPTIONAL annotation properties */
             addPropertyStringValue(ontCls,PROPERTY_CUSTOMENTRYFORMANNOT,cls.getCustomEntryForm(),ontModel);
             addPropertyStringValue(ontCls,PROPERTY_CUSTOMDISPLAYVIEWANNOT,cls.getCustomDisplayView(),ontModel);
@@ -1026,18 +999,6 @@ public void updateVClass(VClass cls, OntModel ontModel) {
                 updatePropertyNonNegativeIntValue(ontCls,DISPLAY_RANK_ANNOT,cls.getDisplayRank(),ontModel);
                 updatePropertyFloatValue(ontCls, SEARCH_BOOST_ANNOT, cls.getSearchBoost(), ontModel);
 
-                if (cls.getHiddenFromDisplayBelowRoleLevel() != null) {
-                    updatePropertyResourceURIValue(ontCls,HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT,cls.getHiddenFromDisplayBelowRoleLevel().getURI(),ontModel);
-                }
-
-                if (cls.getProhibitedFromUpdateBelowRoleLevel() != null) {
-                    updatePropertyResourceURIValue(ontCls,PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT,cls.getProhibitedFromUpdateBelowRoleLevel().getURI(),ontModel);
-                }
-
-                if (cls.getHiddenFromPublishBelowRoleLevel() != null) {
-                    updatePropertyResourceURIValue(ontCls,HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT,cls.getHiddenFromPublishBelowRoleLevel().getURI(),ontModel);
-                }
-
                 updatePropertyStringValue(ontCls,PROPERTY_CUSTOMENTRYFORMANNOT,cls.getCustomEntryForm(),ontModel);
                 updatePropertyStringValue(ontCls,PROPERTY_CUSTOMDISPLAYVIEWANNOT,cls.getCustomDisplayView(),ontModel);
                 updatePropertyStringValue(ontCls,PROPERTY_CUSTOMSHORTVIEWANNOT,cls.getCustomShortView(),ontModel);
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/VClassJena.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/VClassJena.java
index 7c1c5351a2..3ccaa47968 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/VClassJena.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/VClassJena.java
@@ -11,13 +11,9 @@
 
 import org.apache.jena.ontology.OntClass;
 import org.apache.jena.ontology.UnionClass;
-import org.apache.jena.rdf.model.RDFNode;
 import org.apache.jena.rdf.model.Resource;
-import org.apache.jena.rdf.model.Statement;
-import org.apache.jena.rdf.model.StmtIterator;
 import org.apache.jena.shared.Lock;
 
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean;
 import edu.cornell.mannlib.vitro.webapp.beans.VClass;
 import edu.cornell.mannlib.vitro.webapp.dao.VClassDao;
 import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
@@ -297,112 +293,8 @@ public Float getSearchBoost() {
             } finally {
                 cls.getOntModel().leaveCriticalSection();
             }
-        }
-    }
-
-    @Override
-    public RoleLevel getHiddenFromDisplayBelowRoleLevel() {
-
-        if (this.hiddenFromDisplayBelowRoleLevel != null) {
-            return this.hiddenFromDisplayBelowRoleLevel;
-        } else {
-            cls.getOntModel().enterCriticalSection(Lock.READ);
-            try {
-                //There might be multiple HIDDEN_FROM_EDIT_DISPLAY_ANNOT properties, only use the highest
-                StmtIterator it = cls.listProperties(webappDaoFactory.getJenaBaseDao().HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT);
-                BaseResourceBean.RoleLevel hiddenRoleLevel = null;
-
-                while( it.hasNext() ){
-                    Statement stmt = it.nextStatement();
-                    RDFNode obj;
-                    if( stmt != null && (obj = stmt.getObject()) != null && obj.isURIResource() ){
-                        Resource res = obj.as(Resource.class);
-                        if( res != null && res.getURI() != null ){
-                            BaseResourceBean.RoleLevel roleFromModel = BaseResourceBean.RoleLevel.getRoleByUri(res.getURI());
-                            if( roleFromModel != null &&
-                                (hiddenRoleLevel == null || roleFromModel.compareTo(hiddenRoleLevel) > 0 )){
-                                hiddenRoleLevel = roleFromModel;
-                            }
-                        }
-                    }
-                }
-
-                setHiddenFromDisplayBelowRoleLevel(hiddenRoleLevel); //this might get set to null
-            	return this.hiddenFromDisplayBelowRoleLevel;
-            } finally {
-                cls.getOntModel().leaveCriticalSection();
-            }
-        }
-    }
-
-    @Override
-    public RoleLevel getProhibitedFromUpdateBelowRoleLevel() {
-
-        if (this.prohibitedFromUpdateBelowRoleLevel != null) {
-            return this.prohibitedFromUpdateBelowRoleLevel;
-        } else {
-            cls.getOntModel().enterCriticalSection(Lock.READ);
-            try {
-                //There might be multiple PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT properties, only use the highest
-            	StmtIterator it = cls.listProperties(webappDaoFactory.getJenaBaseDao().PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT);
-                BaseResourceBean.RoleLevel prohibitedRoleLevel = null;
-                while( it.hasNext() ){
-                    Statement stmt = it.nextStatement();
-                    RDFNode obj;
-                    if( stmt != null && (obj = stmt.getObject()) != null && obj.isURIResource() ){
-                        Resource res = obj.as(Resource.class);
-                        if( res != null && res.getURI() != null ){
-                            BaseResourceBean.RoleLevel roleFromModel = BaseResourceBean.RoleLevel.getRoleByUri(res.getURI());
-                            if( roleFromModel != null &&
-                                (prohibitedRoleLevel == null || roleFromModel.compareTo(prohibitedRoleLevel) > 0 )){
-                                prohibitedRoleLevel = roleFromModel;
-                            }
-                        }
-                    }
-                }
-
-                setProhibitedFromUpdateBelowRoleLevel(prohibitedRoleLevel); //this might get set to null
-            	return this.prohibitedFromUpdateBelowRoleLevel;
-            } finally {
-                cls.getOntModel().leaveCriticalSection();
-            }
-        }
-    }
-
-    @Override
-    public RoleLevel getHiddenFromPublishBelowRoleLevel() {
-
-        if (this.hiddenFromPublishBelowRoleLevel != null) {
-            return this.hiddenFromPublishBelowRoleLevel;
-        } else {
-            cls.getOntModel().enterCriticalSection(Lock.READ);
-            try {
-                //There might be multiple HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT properties, only use the highest
-                StmtIterator it = cls.listProperties(webappDaoFactory.getJenaBaseDao().HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT);
-                BaseResourceBean.RoleLevel publishRoleLevel = null;
-
-                while( it.hasNext() ){
-                    Statement stmt = it.nextStatement();
-                    RDFNode obj;
-                    if( stmt != null && (obj = stmt.getObject()) != null && obj.isURIResource() ){
-                        Resource res = obj.as(Resource.class);
-                        if( res != null && res.getURI() != null ){
-                            BaseResourceBean.RoleLevel roleFromModel = BaseResourceBean.RoleLevel.getRoleByUri(res.getURI());
-                            if( roleFromModel != null &&
-                                (publishRoleLevel == null || roleFromModel.compareTo(publishRoleLevel) > 0 )){
-                                publishRoleLevel = roleFromModel;
-                            }
-                        }
-                    }
-                }
-
-                setHiddenFromPublishBelowRoleLevel(publishRoleLevel); //this might get set to null
-            	return this.hiddenFromPublishBelowRoleLevel;
-            } finally {
-                cls.getOntModel().leaveCriticalSection();
-            }
-        }
-    }
+        }		 	    
+    } 
 
     @Override
     public boolean isUnion() {
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/ManageLabelsForIndividualGenerator.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/ManageLabelsForIndividualGenerator.java
index 3e03abcf76..779fe59e68 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/ManageLabelsForIndividualGenerator.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/ManageLabelsForIndividualGenerator.java
@@ -1,9 +1,9 @@
 /* $This file is distributed under the terms of the license in LICENSE$ */
 package edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.generators;
 
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_LITERAL;
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_PREDICATE;
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_URI;
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_LITERAL;
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_PREDICATE;
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_URI;
 
 import java.io.FileNotFoundException;
 import java.util.ArrayList;
@@ -28,9 +28,12 @@
 import org.apache.jena.rdf.model.Literal;
 import org.apache.jena.vocabulary.RDFS;
 
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddDataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropertyStatement;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest;
 import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.beans.Property;
 import edu.cornell.mannlib.vitro.webapp.beans.VClass;
@@ -287,13 +290,13 @@ public int compare(HashMap<String, String> h1, HashMap<String, String> h2) {
 
 	private Object isEditable(VitroRequest vreq, EditConfigurationVTwo config) {
 		Individual individual = EditConfigurationUtils.getIndividual(vreq, config.getSubjectUri());
-		AddDataPropertyStatement adps = new AddDataPropertyStatement(
+		DataPropertyStatementAccessObject adps = new DataPropertyStatementAccessObject(
 				vreq.getJenaOntModel(), individual.getURI(),
 				SOME_URI, SOME_LITERAL);
-		AddObjectPropertyStatement aops = new AddObjectPropertyStatement(
+		ObjectPropertyStatementAccessObject aops = new ObjectPropertyStatementAccessObject(
 				vreq.getJenaOntModel(), individual.getURI(),
 				SOME_PREDICATE, SOME_URI);
-    	return PolicyHelper.isAuthorizedForActions(vreq, adps.or(aops));
+    	return PolicyHelper.isAuthorizedForActions(vreq, AuthorizationRequest.or(new SimpleAuthorizationRequest(aops, AccessOperation.ADD), new SimpleAuthorizationRequest(aops, AccessOperation.ADD)));
 	}
 
 
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/edit/n3editing/controller/EditRequestDispatchController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/edit/n3editing/controller/EditRequestDispatchController.java
index 4b22cf6aae..2bdd3fd789 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/edit/n3editing/controller/EditRequestDispatchController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/edit/n3editing/controller/EditRequestDispatchController.java
@@ -2,8 +2,6 @@
 
 package edu.cornell.mannlib.vitro.webapp.edit.n3editing.controller;
 
-import static edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.EditConfigurationUtils.getPredicateUri;
-
 import java.util.HashMap;
 import java.util.Map;
 
@@ -17,16 +15,18 @@
 import org.apache.jena.ontology.OntModel;
 import org.apache.jena.vocabulary.RDFS;
 
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.FauxDataPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.FauxObjectPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditDataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyStatementAction;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest;
 import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
+import edu.cornell.mannlib.vitro.webapp.beans.FauxProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.beans.Property;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
@@ -82,24 +82,43 @@ protected AuthorizationRequest requiredActions(VitroRequest vreq) {
 		String objectUri = EditConfigurationUtils.getObjectUri(vreq);
 		String domainUri = EditConfigurationUtils.getDomainUri(vreq);
 		String rangeUri = EditConfigurationUtils.getRangeUri(vreq);
+		FauxProperty fauxProperty = getFauxConfigUri(vreq);
 		Property predicateProp = new Property();
 		predicateProp.setURI(predicateUri);
 		predicateProp.setDomainVClassURI(domainUri);
 		predicateProp.setRangeVClassURI(rangeUri);
 		OntModel ontModel = ModelAccess.on(vreq).getOntModel();
-		AbstractObjectPropertyStatementAction objectPropertyAction;
+		AccessObject objectPropertyAccessObject;
+		AccessObject dataPropertyAccessObject;
+		AccessOperation accessOperation;
 		if (StringUtils.isBlank(objectUri)) {
-			objectPropertyAction = new AddObjectPropertyStatement(ontModel, subjectUri, predicateProp, RequestedAction.SOME_URI);
+		    if (fauxProperty == null) {
+		        objectPropertyAccessObject = new ObjectPropertyStatementAccessObject(ontModel, subjectUri, predicateProp, AccessObject.SOME_URI);    
+		    } else {
+		        objectPropertyAccessObject = new FauxObjectPropertyStatementAccessObject(ontModel, subjectUri, fauxProperty, AccessObject.SOME_URI);
+		    }
+			accessOperation = AccessOperation.ADD;
 		} else {
+		    if (fauxProperty == null) {
+		        objectPropertyAccessObject = new ObjectPropertyStatementAccessObject(ontModel, subjectUri, predicateProp, objectUri);
+		    } else {
+	            objectPropertyAccessObject = new FauxObjectPropertyStatementAccessObject(ontModel, subjectUri, fauxProperty, objectUri);
+		    }
 			if (isDeleteForm(vreq)) {
-				objectPropertyAction = new DropObjectPropertyStatement(ontModel, subjectUri, predicateProp, objectUri);
+				accessOperation = AccessOperation.DROP;
 			} else {
-				objectPropertyAction = new EditObjectPropertyStatement(ontModel, subjectUri, predicateProp, objectUri);
+				accessOperation = AccessOperation.EDIT;
 			}
 		}
+		if (fauxProperty == null) {
+		    dataPropertyAccessObject = new DataPropertyStatementAccessObject(ontModel, subjectUri, predicateUri, objectUri);    
+		} else {
+		    dataPropertyAccessObject = new FauxDataPropertyStatementAccessObject(ontModel, subjectUri, fauxProperty, objectUri);
+		}
 		boolean isAuthorized = PolicyHelper.isAuthorizedForActions(vreq, 
-				new EditDataPropertyStatement(ontModel, subjectUri, predicateUri, objectUri).
-				or(objectPropertyAction));
+		        AuthorizationRequest.or(
+		                new SimpleAuthorizationRequest(dataPropertyAccessObject, AccessOperation.EDIT), 
+		                new SimpleAuthorizationRequest(objectPropertyAccessObject, accessOperation)));
 		if (!isAuthorized) {
 			// If request is for new individual, return simple do back end editing action permission
 			if (StringUtils.isNotEmpty(EditConfigurationUtils.getTypeOfNew(vreq))) {
@@ -110,8 +129,18 @@ protected AuthorizationRequest requiredActions(VitroRequest vreq) {
 		}
 		return isAuthorized? SimplePermission.DO_FRONT_END_EDITING.ACTION: AuthorizationRequest.UNAUTHORIZED;
 	}
-
-	private boolean isIndividualDeletion(VitroRequest vreq) {
+	
+    public static FauxProperty getFauxConfigUri(VitroRequest vreq) {
+    	String fauxContextUri = vreq.getParameter("fauxContextUri");
+    	if (fauxContextUri != null) {
+        	WebappDaoFactory wdf = vreq.getWebappDaoFactory();
+        	FauxProperty fp = wdf.getFauxPropertyDao().getFauxPropertyFromContextUri(fauxContextUri);
+        	return fp;
+    	} 
+    	return null;
+    }
+    
+    	private boolean isIndividualDeletion(VitroRequest vreq) {
 		String subjectUri = EditConfigurationUtils.getSubjectUri(vreq);
 		String predicateUri = EditConfigurationUtils.getPredicateUri(vreq);
 		String objectUri = EditConfigurationUtils.getObjectUri(vreq);
@@ -130,7 +159,6 @@ protected ResponseValues processRequest(VitroRequest vreq) {
         if(isMenuMode(vreq)) {
         	return redirectToMenuEdit(vreq);
         }
-
         //check some error conditions and if they exist return response values
          //with error message
          if(isErrorCondition(vreq)){
@@ -262,7 +290,7 @@ private void setSessionRequestFromEntity(VitroRequest vreq) {
 	private String processEditConfGeneratorName(VitroRequest vreq) {
 	    String editConfGeneratorName = null;
 
-	    String predicateUri =  getPredicateUri(vreq);
+	    String predicateUri = EditConfigurationUtils.getPredicateUri(vreq);
 	    String domainUri = EditConfigurationUtils.getDomainUri(vreq);
 	    String rangeUri = EditConfigurationUtils.getRangeUri(vreq);
 
@@ -387,7 +415,6 @@ private boolean isErrorCondition(VitroRequest vreq) {
 
             }
         }
-
     	//Check predicate - if not vitro label and neither data prop nor object prop return error
     	WebappDaoFactory wdf = vreq.getWebappDaoFactory();
     	//TODO: Check if any error conditions are not met here
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AnnotationMigrator.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AnnotationMigrator.java
new file mode 100644
index 0000000000..8145754478
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AnnotationMigrator.java
@@ -0,0 +1,265 @@
+package edu.cornell.mannlib.vitro.webapp.migration.auth;
+
+import static edu.cornell.mannlib.vitro.webapp.migration.auth.AuthMigrator.ALL_ROLES;
+import static edu.cornell.mannlib.vitro.webapp.migration.auth.AuthMigrator.ROLE_ADMIN_URI;
+import static edu.cornell.mannlib.vitro.webapp.migration.auth.AuthMigrator.ROLE_CURATOR_URI;
+import static edu.cornell.mannlib.vitro.webapp.migration.auth.AuthMigrator.ROLE_EDITOR_URI;
+import static edu.cornell.mannlib.vitro.webapp.migration.auth.AuthMigrator.ROLE_PUBLIC_URI;
+import static edu.cornell.mannlib.vitro.webapp.migration.auth.AuthMigrator.ROLE_SELF_EDITOR_URI;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.OperationGroup;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.EntityPolicyController;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyLoader;
+import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames;
+import edu.cornell.mannlib.vitro.webapp.rdfservice.RDFService;
+import edu.cornell.mannlib.vitro.webapp.rdfservice.impl.RDFServiceUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.jena.query.QuerySolution;
+import org.apache.jena.query.ResultSet;
+
+public class AnnotationMigrator {
+
+    private static final String ROLE_PREFIX = "http://vitro.mannlib.cornell.edu/ns/vitro/authorization#";
+
+    private static final Log log = LogFactory.getLog(AnnotationMigrator.class);
+
+    private static final String PREFIX = "http://vitro.mannlib.cornell.edu/ns/vitro/role#";
+    private static final String OLD_ROLE_PUBLIC = PREFIX + "public";
+    private static final String OLD_ROLE_SELF = PREFIX + "selfEditor";
+    private static final String OLD_ROLE_EDITOR = PREFIX + "editor";
+    private static final String OLD_ROLE_CURATOR = PREFIX + "curator";
+    private static final String OLD_ROLE_DB_ADMIN = PREFIX + "dbAdmin";
+    private static final String OLD_ROLE_NOBODY = PREFIX + "nobody";
+
+    private RDFService contentRdfService;
+    private RDFService configurationRdfService;
+    private Map<String, Set<String>> showMap;
+
+    public AnnotationMigrator(RDFService contentRdfService, RDFService configurationRdfService) {
+        this.contentRdfService = contentRdfService;
+        this.configurationRdfService = configurationRdfService;
+        showMap = new HashMap<>();
+        showMap.put(OLD_ROLE_PUBLIC, ALL_ROLES);
+        showMap.put(OLD_ROLE_SELF, new HashSet<String>(
+                Arrays.asList(ROLE_ADMIN_URI, ROLE_CURATOR_URI, ROLE_EDITOR_URI, ROLE_SELF_EDITOR_URI)));
+        showMap.put(OLD_ROLE_EDITOR,
+                new HashSet<String>(Arrays.asList(ROLE_ADMIN_URI, ROLE_CURATOR_URI, ROLE_EDITOR_URI)));
+        showMap.put(OLD_ROLE_CURATOR, new HashSet<String>(Arrays.asList(ROLE_ADMIN_URI, ROLE_CURATOR_URI)));
+        showMap.put(OLD_ROLE_DB_ADMIN, new HashSet<String>(Arrays.asList(ROLE_ADMIN_URI)));
+        showMap.put(OLD_ROLE_NOBODY, Collections.emptySet());
+    }
+
+    protected void migrateConfiguration() {
+        log.info("Started annotation configuration conversion");
+        Map<String, Map<OperationGroup, Set<String>>> opConfigs = getObjectPropertyAnnotations();
+        log.info(String.format("Found %s object property annotation configurations", opConfigs.size()));
+        Map<String, Map<OperationGroup, Set<String>>> dpConfigs = getDataPropertyAnnotations();
+        log.info(String.format("Found %s data property annotation configurations", dpConfigs.size()));
+        Map<String, Map<OperationGroup, Set<String>>> classConfigs = getClassAnnotations();
+        log.info(String.format("Found %s class annotation configurations", classConfigs.size()));
+        Map<String, Map<OperationGroup, Set<String>>> fopConfigs = getFauxObjectPropertyAnnotations(opConfigs.keySet());
+        log.info(String.format("Found %s faux object property annotation configurations", fopConfigs.size()));
+        Map<String, Map<OperationGroup, Set<String>>> fdpConfigs = getFauxDataPropertyAnnotations(dpConfigs.keySet());
+        log.info(String.format("Found %s faux data property annotation configurations", fdpConfigs.size()));
+        Long[] valueCounts = updatePolicyDatasets(AccessObjectType.OBJECT_PROPERTY, opConfigs);
+        log.info(String.format("Updated object property datasets. Added %d values, removed %d values", valueCounts[0],
+                valueCounts[1]));
+        valueCounts = updatePolicyDatasets(AccessObjectType.DATA_PROPERTY, dpConfigs);
+        log.info(String.format("Updated data property datasets, added %d values, removed %d values", valueCounts[0],
+                valueCounts[1]));
+        valueCounts = updatePolicyDatasets(AccessObjectType.CLASS, classConfigs);
+        log.info(String.format("Updated class property datasets, added %d values, removed %d values", valueCounts[0],
+                valueCounts[1]));
+        valueCounts = updatePolicyDatasets(AccessObjectType.FAUX_OBJECT_PROPERTY, fopConfigs);
+        log.info(String.format("Updated faux object property datasets, added %d values, removed %d values",
+                valueCounts[0], valueCounts[1]));
+        valueCounts = updatePolicyDatasets(AccessObjectType.FAUX_DATA_PROPERTY, fdpConfigs);
+        log.info(String.format("Updated data property datasets, added %d values, removed %d values", valueCounts[0],
+                valueCounts[1]));
+        PolicyLoader.getInstance().loadPolicies();
+    }
+
+    protected Map<String, Map<OperationGroup, Set<String>>> getFauxDataPropertyAnnotations(Set<String> dataProperties) {
+        String queryText = getAnnotationQuery(fauxTypeSpecificPatterns);
+        return getFauxConfigurations(queryText, configurationRdfService, dataProperties);
+    }
+
+    protected Map<String, Map<OperationGroup, Set<String>>> getFauxObjectPropertyAnnotations(
+            Set<String> objectProperties) {
+        String queryText = getAnnotationQuery(fauxTypeSpecificPatterns);
+        return getFauxConfigurations(queryText, configurationRdfService, objectProperties);
+    }
+
+    protected Map<String, Map<OperationGroup, Set<String>>> getClassAnnotations() {
+        String queryText = getAnnotationQuery("  ?uri rdf:type owl:Class .\n");
+        return getConfigurations(queryText, contentRdfService);
+    }
+
+    protected Map<String, Map<OperationGroup, Set<String>>> getDataPropertyAnnotations() {
+        String queryText = getAnnotationQuery("  ?uri rdf:type owl:DatatypeProperty .\n");
+        return getConfigurations(queryText, contentRdfService);
+    }
+
+    protected Map<String, Map<OperationGroup, Set<String>>> getObjectPropertyAnnotations() {
+        String queryText = getAnnotationQuery("  ?uri rdf:type owl:ObjectProperty .\n");
+        return getConfigurations(queryText, contentRdfService);
+    }
+
+    /**
+     * @return map of entity URIs and maps of operations and list of allowed roles
+     */
+    private Map<String, Map<OperationGroup, Set<String>>> getConfigurations(String queryText, RDFService service) {
+        Map<String, Map<OperationGroup, Set<String>>> configs = new HashMap<>();
+        try {
+            ResultSet rs = RDFServiceUtils.sparqlSelectQuery(queryText, service);
+            while (rs.hasNext()) {
+                QuerySolution qs = rs.next();
+                collectConfiguration(configs, qs);
+            }
+        } catch (Exception e) {
+            log.error(e, e);
+        }
+        return configs;
+    }
+
+    /**
+     * @param targetProperties set of property URIs to get configurations from
+     * @return map of entity URIs and maps of operations and list of allowed roles
+     */
+    private Map<String, Map<OperationGroup, Set<String>>> getFauxConfigurations(String queryText, RDFService service,
+            Set<String> targetProperties) {
+        Map<String, Map<OperationGroup, Set<String>>> configs = new HashMap<>();
+        try {
+            ResultSet rs = RDFServiceUtils.sparqlSelectQuery(queryText, service);
+            while (rs.hasNext()) {
+                QuerySolution qs = rs.next();
+                String baseUri = qs.getResource("base").getURI();
+                if (!targetProperties.contains(baseUri)) {
+                    continue;
+                }
+                collectConfiguration(configs, qs);
+            }
+        } catch (Exception e) {
+            log.error(e, e);
+        }
+        return configs;
+    }
+
+    private void collectConfiguration(Map<String, Map<OperationGroup, Set<String>>> configs, QuerySolution qs) {
+        String uri = qs.getResource("uri").getURI();
+        String displayAnnotation = qs.getResource("display").getURI();
+        Set<String> displayRoles = new HashSet<>(showMap.get(displayAnnotation));
+
+        String publishAnnotation = qs.getResource("publish").getURI();
+        Set<String> publishRoles = new HashSet<>(showMap.get(publishAnnotation));
+        publishRoles.remove(ROLE_PUBLIC_URI);
+
+        String updateAnnotation = qs.getResource("update").getURI();
+        Set<String> updateRoles = new HashSet<>(showMap.get(updateAnnotation));
+        updateRoles.remove(ROLE_PUBLIC_URI);
+
+        Map<OperationGroup, Set<String>> config = new HashMap<>();
+        config.put(OperationGroup.UPDATE_GROUP, updateRoles);
+        config.put(OperationGroup.PUBLISH_GROUP, publishRoles);
+        config.put(OperationGroup.DISPLAY_GROUP, displayRoles);
+        configs.put(uri, config);
+    }
+
+    private static Long[] updatePolicyDatasets(AccessObjectType aot,
+            Map<String, Map<OperationGroup, Set<String>>> configs) {
+        StringBuilder additions = new StringBuilder();
+        StringBuilder removals = new StringBuilder();
+        for (String entityUri : configs.keySet()) {
+            Map<OperationGroup, Set<String>> groupMap = configs.get(entityUri);
+            for (OperationGroup og : groupMap.keySet()) {
+                for (AccessOperation ao : OperationGroup.getOperations(og)) {
+                    Set<String> rolesToAdd = groupMap.get(og);
+                    if (!rolesToAdd.isEmpty()) {
+                        log.info(String.format("Granted access to %s %s %s for roles %s", ao, aot, entityUri,
+                                rolesToString(rolesToAdd)));
+                    }
+                    EntityPolicyController.getDataValueStatements(entityUri, aot, ao, rolesToAdd, additions);
+                    Set<String> rolesToRemove = new HashSet<>(ALL_ROLES);
+                    rolesToRemove.removeAll(rolesToAdd);
+                    // Don't remove public publish and update data sets, as there are no public policies for that
+                    // operation
+                    // groups
+                    if (OperationGroup.PUBLISH_GROUP.equals(og) || OperationGroup.UPDATE_GROUP.equals(og)) {
+                        rolesToRemove.remove(ROLE_PUBLIC_URI);
+                    }
+                    if (!rolesToRemove.isEmpty()) {
+                        log.info(String.format("Revoked access to %s %s %s for roles %s", ao, aot, entityUri,
+                                rolesToString(rolesToRemove)));
+                    }
+                    EntityPolicyController.getDataValueStatements(entityUri, aot, ao, rolesToRemove, removals);
+                    log.debug(String.format(
+                            "Updated entity %s dataset for operation group %s access object type %s roles %s",
+                            entityUri, og, aot, rolesToAdd));
+                }
+            }
+        }
+        PolicyLoader.getInstance().updateAccessControlModel(additions.toString(), true);
+        PolicyLoader.getInstance().updateAccessControlModel(removals.toString(), false);
+        return new Long[] { getLineCount(additions.toString()), getLineCount(removals.toString()) };
+    }
+
+    private static Object rolesToString(Set<String> roles) {
+        String result = "";
+        for (String roleUri : roles) {
+            String roleName = roleUri;
+            if (roleName.startsWith(ROLE_PREFIX)) {
+                roleName = roleName.substring(ROLE_PREFIX.length());
+            }
+            if (!result.isEmpty()) {
+                result += ", ";
+            }
+            result += roleName;
+        }
+        return result;
+    }
+
+    private static String getAnnotationQuery(String typeSpecificPatterns) {
+        return ""
+                + "PREFIX vitro: <http://vitro.mannlib.cornell.edu/ns/vitro/0.7#> \n"
+                + "PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>\n"
+                + "PREFIX owl: <http://www.w3.org/2002/07/owl#> \n"
+                + "SELECT ?base ?uri ?update ?display ?publish\n"
+                + "WHERE {\n"
+                + typeSpecificPatterns
+                + "{OPTIONAL { ?uri vitro:hiddenFromDisplayBelowRoleLevelAnnot ?displayAssigned . }\n"
+                + "BIND (COALESCE(?displayAssigned, <http://vitro.mannlib.cornell.edu/ns/vitro/role#public>) AS ?display)\n"
+                + "OPTIONAL { ?uri vitro:prohibitedFromUpdateBelowRoleLevelAnnot ?updateAssigned . }\n"
+                + "BIND (COALESCE(?updateAssigned, <http://vitro.mannlib.cornell.edu/ns/vitro/role#selfEditor>) AS ?update)\n"
+                + "OPTIONAL { ?uri vitro:hiddenFromPublishBelowRoleLevelAnnot ?publishAssigned . }\n"
+                + "BIND (COALESCE(?publishAssigned, <http://vitro.mannlib.cornell.edu/ns/vitro/role#public>) AS ?publish)\n"
+                + "FILTER (!isBlank(?uri))\n" + "}} \n";
+    }
+
+    private static final String fauxTypeSpecificPatterns = "" + "GRAPH <" + ModelNames.DISPLAY + "> {"
+            + "  ?context <http://vitro.mannlib.cornell.edu/ns/vitro/ApplicationConfiguration#configContextFor> ?base .\n"
+            + "  ?context <http://vitro.mannlib.cornell.edu/ns/vitro/ApplicationConfiguration#hasConfiguration> ?uri .\n"
+            + "  ?uri rdf:type <http://vitro.mannlib.cornell.edu/ns/vitro/ApplicationConfiguration#ObjectPropertyDisplayConfig> .\n"
+            + "} GRAPH <" + ModelNames.DISPLAY + ">";
+
+    private static long getLineCount(String lines) {
+        Matcher matcher = Pattern.compile("\n").matcher(lines);
+        long i = 0;
+        while (matcher.find()) {
+            i++;
+        }
+        return i;
+    }
+
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/ArmMigrator.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/ArmMigrator.java
new file mode 100644
index 0000000000..58b3af75f9
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/ArmMigrator.java
@@ -0,0 +1,390 @@
+package edu.cornell.mannlib.vitro.webapp.migration.auth;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.OperationGroup;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.EntityPolicyController;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyLoader;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyTemplateController;
+import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
+import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames;
+import edu.cornell.mannlib.vitro.webapp.rdfservice.RDFService;
+import edu.cornell.mannlib.vitro.webapp.rdfservice.impl.RDFServiceUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.jena.ontology.OntModel;
+import org.apache.jena.query.ParameterizedSparqlString;
+import org.apache.jena.query.QueryExecution;
+import org.apache.jena.query.QueryExecutionFactory;
+import org.apache.jena.query.QuerySolution;
+import org.apache.jena.query.ResultSet;
+
+public class ArmMigrator {
+
+    private static final Log log = LogFactory.getLog(ArmMigrator.class);
+
+    protected static String DISPLAY = "Display";
+    protected static String UPDATE = "Update";
+    protected static String PUBLISH = "Publish";
+
+    protected static final String ARM_ADMIN = "ADMIN";
+    protected static final String ARM_CURATOR = "CURATOR";
+    protected static final String ARM_EDITOR = "EDITOR";
+    protected static final String ARM_SELF_EDITOR = "SELF_EDITOR";
+    protected static final String ARM_PUBLIC = "PUBLIC";
+    protected static final String ARM_CUSTOM = "CUSTOM";
+    protected StringBuilder removals = new StringBuilder();
+    protected StringBuilder additions = new StringBuilder();
+
+    protected static final List<String> armOperations = Arrays.asList(DISPLAY, UPDATE, PUBLISH);
+    protected static final List<AccessObjectType> entityTypes =
+            Arrays.asList(AccessObjectType.CLASS, AccessObjectType.OBJECT_PROPERTY, AccessObjectType.DATA_PROPERTY,
+                    AccessObjectType.FAUX_OBJECT_PROPERTY, AccessObjectType.FAUX_DATA_PROPERTY);
+
+    private RDFService contentRdfService;
+    private RDFService configurationRdfService;
+    private OntModel userAccountsModel;
+
+    private String VALUE_QUERY = ""
+            + "SELECT ?uri \n"
+            + "WHERE {\n"
+            + "  ?permission <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#forEntity> ?uri . \n"
+            + "}";
+
+    private String PERMISSION_SETS_QUERY = ""
+            + "prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#>\n"
+            + "SELECT ?uri \n"
+            + "WHERE {\n"
+            + "    ?uri a auth:PermissionSet . \n"
+            + "}";
+
+    private static Map<String, String> roleMap;
+    private static Map<String, OperationGroup> operationMap;
+
+    public ArmMigrator(RDFService contentRdfService, RDFService configurationRdfService, OntModel userAccountsModel) {
+        this.contentRdfService = contentRdfService;
+        this.configurationRdfService = configurationRdfService;
+        this.userAccountsModel = userAccountsModel;
+        operationMap = new HashMap<>();
+        operationMap.put(DISPLAY, OperationGroup.DISPLAY_GROUP);
+        operationMap.put(UPDATE, OperationGroup.UPDATE_GROUP);
+        operationMap.put(PUBLISH, OperationGroup.PUBLISH_GROUP);
+
+        roleMap = new HashMap<>();
+        roleMap.put(ARM_ADMIN, AuthMigrator.ROLE_ADMIN_URI);
+        roleMap.put(ARM_CURATOR, AuthMigrator.ROLE_CURATOR_URI);
+        roleMap.put(ARM_EDITOR, AuthMigrator.ROLE_EDITOR_URI);
+        roleMap.put(ARM_SELF_EDITOR, AuthMigrator.ROLE_SELF_EDITOR_URI);
+        roleMap.put(ARM_PUBLIC, AuthMigrator.ROLE_PUBLIC_URI);
+        Set<String> actualRoles = getPermissionSets();
+        for (String role : actualRoles) {
+            if (!roleMap.values().contains(role)) {
+                String roleName = getRoleName(role);
+                log.info(String.format("Custom role %s found.", roleName));
+                roleMap.put(roleName, role);
+                PolicyTemplateController.createRoleDataSets(role);
+                log.info(String.format("Created policy data sets for custom role %s.", roleName));
+            }
+        }
+    }
+
+    public static String getArmPermissionSubject(String operation, String role) {
+        return "java:edu.cornell.mannlib.vitro.webapp.auth.permissions.Entity" + operation + "Permission#" + role;
+    }
+
+    private static String getRoleName(String roleUri) {
+        return roleUri.substring(roleUri.lastIndexOf('#') + 1);
+    }
+
+    public void migrateConfiguration() {
+        cleanEntityDataSetValues();
+        Map<AccessObjectType, Set<String>> entityTypeMap = getEntityMap();
+        collectAdditions(entityTypeMap);
+        PolicyLoader.getInstance().updateAccessControlModel(additions.toString(), true);
+    }
+
+    private void cleanEntityDataSetValues() {
+        getStatementsToRemove();
+        PolicyLoader.getInstance().updateAccessControlModel(removals.toString(), false);
+    }
+
+    protected StringBuilder getStatementsToRemove() {
+        for (String role : roleMap.keySet()) {
+            String newRole = roleMap.get(role);
+            getRoleStatementsToRemove(newRole);
+        }
+        return removals;
+    }
+
+    private void getRoleStatementsToRemove(String role) {
+        for (String operation : armOperations) {
+            OperationGroup og = operationMap.get(operation);
+            getRoleOpGroupStatementsToRemove(role, og);
+        }
+    }
+
+    private void getRoleOpGroupStatementsToRemove(String role, OperationGroup og) {
+        for (AccessOperation ao : OperationGroup.getOperations(og)) {
+            getRoleOperationStatementsToRemove(role, ao);
+        }
+    }
+
+    private void getRoleOperationStatementsToRemove(String role, AccessOperation ao) {
+        for (AccessObjectType aot : entityTypes) {
+            getRoleOperationObjectTypedStatementsToRemove(role, ao, aot);
+        }
+    }
+
+    private void getRoleOperationObjectTypedStatementsToRemove(String role, AccessOperation ao, AccessObjectType aot) {
+        Set<String> entityUris = PolicyLoader.getInstance().getDataSetValues(ao, aot, role);
+        for (String entityUri : entityUris) {
+            EntityPolicyController.getDataValueStatements(entityUri, aot, ao, Collections.singleton(role), removals);
+        }
+    }
+
+    private Set<String> getFauxByBase(String baseUri) {
+        Set<String> entities = new HashSet<>();
+        String queryText = getQueryText(AccessObjectType.FAUX_OBJECT_PROPERTY);
+        RDFService service = getRdfService(AccessObjectType.FAUX_OBJECT_PROPERTY);
+        try {
+            ResultSet rs = RDFServiceUtils.sparqlSelectQuery(queryText, service);
+            while (rs.hasNext()) {
+                QuerySolution qs = rs.next();
+                String entity = qs.getResource("uri").getURI();
+                String base = qs.getResource("base").getURI();
+                if (baseUri.equals(base)) {
+                    entities.add(entity);
+                }
+            }
+        } catch (Exception e) {
+            log.error(e, e);
+        }
+        return entities;
+    }
+
+    protected void collectAdditions(Map<AccessObjectType, Set<String>> entityTypeMap) {
+        for (String role : roleMap.keySet()) {
+            String newRole = roleMap.get(role);
+            getRoleStatementsToAdd(entityTypeMap, role, newRole);
+        }
+    }
+
+    private void getRoleStatementsToAdd(Map<AccessObjectType, Set<String>> entityTypeMap, String role, String newRole) {
+        for (String operation : armOperations) {
+            getRoleOperationStatementsToAdd(entityTypeMap, role, newRole, operation);
+        }
+    }
+
+    private void getRoleOperationStatementsToAdd(Map<AccessObjectType, Set<String>> entityTypeMap, String role,
+            String newRole, String operation) {
+        String permissionUri = getArmPermissionSubject(operation, role);
+        Set<String> armEntities = getArmEntites(permissionUri);
+        OperationGroup og = operationMap.get(operation);
+        Set<String> addFauxOP = new HashSet<>();
+        Set<String> addFauxDP = new HashSet<>();
+        for (AccessObjectType type : entityTypes) {
+            getRoleOperationObjectTypedStatementsToAdd(entityTypeMap, role, newRole, armEntities, og, addFauxOP,
+                    addFauxDP, type);
+        }
+    }
+
+    private void getRoleOperationObjectTypedStatementsToAdd(Map<AccessObjectType, Set<String>> entityTypeMap,
+            String role, String newRole, Set<String> armEntities, OperationGroup og, Set<String> addFauxOP,
+            Set<String> addFauxDP, AccessObjectType type) {
+        Set<String> allTypeEntitities = entityTypeMap.get(type);
+        HashSet<String> intersectionEntities = new HashSet<>(armEntities);
+        intersectionEntities.retainAll(allTypeEntitities);
+
+        // Workaround for ARM behavior
+        if (AccessObjectType.OBJECT_PROPERTY.equals(type)) {
+            // find all faux object properties for each of base property from entityUri set
+            // and add to the list of additional faux object properties
+            for (String entity : intersectionEntities) {
+                Set<String> faux = getFauxByBase(entity);
+                addFauxOP.addAll(faux);
+            }
+        }
+        if (AccessObjectType.DATA_PROPERTY.equals(type)) {
+            // find all faux data properties for each of base property from entityUri set
+            // and add to the list of additional faux data properties
+            for (String entity : intersectionEntities) {
+                Set<String> faux = getFauxByBase(entity);
+                addFauxDP.addAll(faux);
+            }
+            // Workaround for missing rdfs:label in ARM
+            //Allow any role to display/update/publish rdfs:label
+            //with exception to public role and update/publish operations groups
+            if (!(ARM_PUBLIC.equals(role) && !OperationGroup.DISPLAY_GROUP.equals(og))) {
+                intersectionEntities.add(VitroVocabulary.LABEL);
+            }
+        }
+        if (AccessObjectType.FAUX_OBJECT_PROPERTY.equals(type)) {
+            intersectionEntities.addAll(addFauxOP);
+        }
+        if (AccessObjectType.FAUX_DATA_PROPERTY.equals(type)) {
+            intersectionEntities.addAll(addFauxDP);
+        }
+        for (AccessOperation ao : OperationGroup.getOperations(og)) {
+            for (String entityUri : intersectionEntities) {
+                log.info(String.format("Allow %s role to %s %s entity <%s>", role, ao, type, entityUri));
+                EntityPolicyController.getDataValueStatements(entityUri, type, ao, Collections.singleton(newRole),
+                        additions);
+            }
+        }
+    }
+
+    protected Map<AccessObjectType, Set<String>> getEntityMap() {
+        Map<AccessObjectType, Set<String>> map = new HashMap<>();
+        for (AccessObjectType type : entityTypes) {
+            addEntitiesForType(type, map);
+        }
+        return map;
+    }
+
+    private void addEntitiesForType(AccessObjectType type, Map<AccessObjectType, Set<String>> map) {
+        Set<String> entities = new HashSet<>();
+        String queryText = getQueryText(type);
+        RDFService service = getRdfService(type);
+        try {
+            ResultSet rs = RDFServiceUtils.sparqlSelectQuery(queryText, service);
+            while (rs.hasNext()) {
+                QuerySolution qs = rs.next();
+                String entity = qs.getResource("uri").getURI();
+                if (AccessObjectType.FAUX_DATA_PROPERTY.equals(type)) {
+                    String baseUri = qs.getResource("base").getURI();
+                    Set<String> dataPropSet = map.get(AccessObjectType.DATA_PROPERTY);
+                    if (!dataPropSet.contains(baseUri)) {
+                        continue;
+                    }
+                }
+                if (AccessObjectType.FAUX_OBJECT_PROPERTY.equals(type)) {
+                    String baseUri = qs.getResource("base").getURI();
+                    Set<String> objectPropSet = map.get(AccessObjectType.OBJECT_PROPERTY);
+                    if (!objectPropSet.contains(baseUri)) {
+                        continue;
+                    }
+                }
+                entities.add(entity);
+            }
+        } catch (Exception e) {
+            log.error(e, e);
+        }
+        map.put(type, entities);
+    }
+
+    private String getQueryText(AccessObjectType type) {
+        String fauxTypeSpecificPatterns = "" + "GRAPH <" + ModelNames.DISPLAY + "> {"
+                + "  ?context <http://vitro.mannlib.cornell.edu/ns/vitro/ApplicationConfiguration#configContextFor> ?base .\n"
+                + "  ?context <http://vitro.mannlib.cornell.edu/ns/vitro/ApplicationConfiguration#hasConfiguration> ?uri .\n"
+                + "  ?uri rdf:type <http://vitro.mannlib.cornell.edu/ns/vitro/ApplicationConfiguration#ObjectPropertyDisplayConfig> .\n"
+                + "}";
+        switch (type) {
+            case FAUX_OBJECT_PROPERTY:
+                return getQuery(fauxTypeSpecificPatterns);
+            case FAUX_DATA_PROPERTY:
+                return getQuery(fauxTypeSpecificPatterns);
+            case CLASS:
+                return getQuery("{?uri rdf:type owl:Class .}\n");
+            case DATA_PROPERTY:
+                return getQuery("{?uri rdf:type owl:DatatypeProperty .}\n");
+            default:
+                return getQuery("{?uri rdf:type owl:ObjectProperty .}\n");
+        }
+    }
+
+    private static String getQuery(String typePatterns) {
+        return ""
+                + "PREFIX vitro: <http://vitro.mannlib.cornell.edu/ns/vitro/0.7#> \n"
+                + "PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>\n"
+                + "PREFIX owl: <http://www.w3.org/2002/07/owl#> \n"
+                + "SELECT ?base ?uri \n"
+                + "WHERE {\n"
+                + typePatterns + "} \n";
+    }
+
+    private RDFService getRdfService(AccessObjectType type) {
+        if (AccessObjectType.FAUX_OBJECT_PROPERTY.equals(type) || AccessObjectType.FAUX_DATA_PROPERTY.equals(type)) {
+            return configurationRdfService;
+        }
+        return contentRdfService;
+    }
+
+    private Set<String> getArmEntites(String permissionUri) {
+        Set<String> entities = new HashSet<>();
+        ParameterizedSparqlString pss = new ParameterizedSparqlString(VALUE_QUERY);
+        pss.setIri("permission", permissionUri);
+        String queryText = pss.toString();
+        userAccountsModel.enterCriticalSection(false);
+        try {
+            QueryExecution qexec = QueryExecutionFactory.create(queryText, userAccountsModel);
+            try {
+                ResultSet results = qexec.execSelect();
+                while (results.hasNext()) {
+                    QuerySolution qs = results.next();
+                    String entity = qs.getResource("uri").getURI();
+                    entities.add(entity);
+                }
+            } finally {
+                qexec.close();
+            }
+        } finally {
+            userAccountsModel.leaveCriticalSection();
+        }
+        return entities;
+    }
+
+    public boolean isArmConfiguation() {
+        return containsAdminDisplayPermission();
+    }
+
+    private boolean containsAdminDisplayPermission() {
+        boolean result = false;
+        String queryText = ""
+                + "prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>\n"
+                + "ASK WHERE {\n"
+                + "    <"
+                + getArmPermissionSubject(DISPLAY, ARM_ADMIN) + "> ?p ?o .\n" + "}";
+        userAccountsModel.enterCriticalSection(false);
+        try {
+            QueryExecution qexec = QueryExecutionFactory.create(queryText, userAccountsModel);
+            try {
+                result = qexec.execAsk();
+            } finally {
+                qexec.close();
+            }
+        } finally {
+            userAccountsModel.leaveCriticalSection();
+        }
+        return result;
+    }
+
+    private Set<String> getPermissionSets() {
+        Set<String> permissionSets = new HashSet<>();
+        String queryText = PERMISSION_SETS_QUERY;
+        userAccountsModel.enterCriticalSection(false);
+        try {
+            QueryExecution qexec = QueryExecutionFactory.create(queryText, userAccountsModel);
+            try {
+                ResultSet results = qexec.execSelect();
+                while (results.hasNext()) {
+                    QuerySolution qs = results.next();
+                    String entity = qs.getResource("uri").getURI();
+                    permissionSets.add(entity);
+                }
+            } finally {
+                qexec.close();
+            }
+        } finally {
+            userAccountsModel.leaveCriticalSection();
+        }
+        return permissionSets;
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigrator.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigrator.java
new file mode 100644
index 0000000000..23b2e9a613
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigrator.java
@@ -0,0 +1,158 @@
+/* $This file is distributed under the terms of the license in LICENSE$ */
+
+package edu.cornell.mannlib.vitro.webapp.migration.auth;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletContextEvent;
+import javax.servlet.ServletContextListener;
+
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyLoader;
+import edu.cornell.mannlib.vitro.webapp.modelaccess.ContextModelAccess;
+import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess;
+import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess.WhichService;
+import edu.cornell.mannlib.vitro.webapp.rdfservice.RDFService;
+import edu.cornell.mannlib.vitro.webapp.rdfservice.impl.RDFServiceUtils;
+import edu.cornell.mannlib.vitro.webapp.startup.StartupStatus;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.jena.ontology.OntModel;
+import org.apache.jena.query.ParameterizedSparqlString;
+import org.apache.jena.query.QuerySolution;
+import org.apache.jena.query.ResultSet;
+
+public class AuthMigrator implements ServletContextListener {
+
+    private static final Log log = LogFactory.getLog(AuthMigrator.class);
+    protected static final String ROLE_ADMIN_URI = "http://vitro.mannlib.cornell.edu/ns/vitro/authorization#ADMIN";
+    protected static final String ROLE_CURATOR_URI = "http://vitro.mannlib.cornell.edu/ns/vitro/authorization#CURATOR";
+    protected static final String ROLE_EDITOR_URI = "http://vitro.mannlib.cornell.edu/ns/vitro/authorization#EDITOR";
+    protected static final String ROLE_SELF_EDITOR_URI = "http://vitro.mannlib.cornell.edu/ns/vitro/authorization#SELF_EDITOR";
+    protected static final String ROLE_PUBLIC_URI = "http://vitro.mannlib.cornell.edu/ns/vitro/authorization#PUBLIC";
+    protected static final Set<String> ALL_ROLES = new HashSet<String>(
+            Arrays.asList(ROLE_ADMIN_URI, ROLE_CURATOR_URI, ROLE_EDITOR_URI, ROLE_SELF_EDITOR_URI, ROLE_PUBLIC_URI));
+
+    private static final String SET_VERSION_TEMPLATE = ""
+            + "@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .\n"
+            + "@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .\n"
+            + "<https://vivoweb.org/ontology/vitro-application/auth/individual/Configuration> "
+            + "rdf:type access:Configuration ;\n"
+            + "access:version ?version .";
+
+    private static final String REMOVE_VERSION_TEMPLATE = ""
+            + "@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .\n"
+            + "<https://vivoweb.org/ontology/vitro-application/auth/individual/Configuration> "
+            + "<https://vivoweb.org/ontology/vitro-application/auth/vocabulary/version> ?version .";
+
+    private static String VERSION_QUERY = ""
+            + "prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>\n"
+            + "prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/>\n"
+            + "SELECT ?version \n"
+            + "WHERE {\n"
+            + "  GRAPH <http://vitro.mannlib.cornell.edu/default/access-control> {\n"
+            + "       ?configuration rdf:type access:Configuration .\n"
+            + "       ?configuration access:version ?version .\n"
+            + "  }\n"
+            + "}";
+
+    private RDFService contentRdfService;
+    private RDFService configurationRdfService;
+    private ContextModelAccess modelAccess;
+
+    @Override
+    public void contextInitialized(ServletContextEvent sce) {
+        long begin = System.currentTimeMillis();
+        modelAccess = ModelAccess.getInstance();
+        initialize(modelAccess.getRDFService(WhichService.CONTENT),
+                modelAccess.getRDFService(WhichService.CONFIGURATION));
+        if (!isMigrationRequired()) {
+            return;
+        }
+        ServletContext ctx = sce.getServletContext();
+        StartupStatus ss = StartupStatus.getBean(ctx);
+        log.info("Started authorization configuration update");
+        convertAuthorizationConfiguration();
+        log.info("Finished authorization configuration update");
+        ss.info(this, secondsSince(begin) + " seconds to migrate auth models");
+        log.info("Reload all policies after migration");
+        PolicyLoader.getInstance().loadPolicies();
+    }
+
+    protected void initialize(RDFService content, RDFService configuration) {
+        contentRdfService = content;
+        configurationRdfService = configuration;
+    }
+
+    protected void convertAuthorizationConfiguration() {
+        OntModel userAccountsModel = modelAccess.getOntModelSelector().getUserAccountsModel();
+        ArmMigrator armMigrator = new ArmMigrator(contentRdfService, configurationRdfService, userAccountsModel);
+        if (armMigrator.isArmConfiguation()) {
+            armMigrator.migrateConfiguration();
+        } else {
+            migrateAnnotationConfiguation();
+        }
+        migrateSimplePermissions();
+        removeVersion(getVersion());
+        setVersion(1L);
+    }
+
+    private void migrateSimplePermissions() {
+        OntModel userAccountsModel = modelAccess.getOntModelSelector().getUserAccountsModel();
+        SimplePermissionMigrator spm = new SimplePermissionMigrator(userAccountsModel);
+        spm.migrateConfiguration();
+    }
+
+    private void migrateAnnotationConfiguation() {
+        AnnotationMigrator annotationMigrator = new AnnotationMigrator(contentRdfService, configurationRdfService);
+        annotationMigrator.migrateConfiguration();
+    }
+
+    private boolean isMigrationRequired() {
+        if (getVersion() == 0L) {
+            return true;
+        }
+        return false;
+    }
+
+    protected long getVersion() {
+        long version = 0L;
+
+        try {
+            ResultSet rs = RDFServiceUtils.sparqlSelectQuery(VERSION_QUERY, configurationRdfService);
+            while (rs.hasNext()) {
+                QuerySolution qs = rs.next();
+                if (!qs.contains("version") || !qs.get("version").isLiteral()) {
+                    continue;
+                }
+                version = qs.getLiteral("version").getLong();
+            }
+        } catch (Exception e) {
+            log.error(e, e);
+        }
+        return version;
+    }
+
+    protected void removeVersion(long version) {
+        ParameterizedSparqlString pss = new ParameterizedSparqlString(REMOVE_VERSION_TEMPLATE);
+        pss.setLiteral("version", version);
+        PolicyLoader.getInstance().updateAccessControlModel(pss.toString(), false);
+    }
+
+    protected void setVersion(long version) {
+        ParameterizedSparqlString pss = new ParameterizedSparqlString(SET_VERSION_TEMPLATE);
+        pss.setLiteral("version", version);
+        PolicyLoader.getInstance().updateAccessControlModel(pss.toString(), true);
+    }
+
+    @Override
+    public void contextDestroyed(ServletContextEvent sce) {
+        // Nothing to tear down.
+    }
+
+    private long secondsSince(long startTime) {
+        return (System.currentTimeMillis() - startTime) / 1000;
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/SimplePermissionMigrator.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/SimplePermissionMigrator.java
new file mode 100644
index 0000000000..6e747ae984
--- /dev/null
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/SimplePermissionMigrator.java
@@ -0,0 +1,158 @@
+package edu.cornell.mannlib.vitro.webapp.migration.auth;
+
+import static edu.cornell.mannlib.vitro.webapp.migration.auth.AuthMigrator.ALL_ROLES;
+import static edu.cornell.mannlib.vitro.webapp.migration.auth.AuthMigrator.ROLE_ADMIN_URI;
+import static edu.cornell.mannlib.vitro.webapp.migration.auth.AuthMigrator.ROLE_CURATOR_URI;
+import static edu.cornell.mannlib.vitro.webapp.migration.auth.AuthMigrator.ROLE_EDITOR_URI;
+import static edu.cornell.mannlib.vitro.webapp.migration.auth.AuthMigrator.ROLE_PUBLIC_URI;
+import static edu.cornell.mannlib.vitro.webapp.migration.auth.AuthMigrator.ROLE_SELF_EDITOR_URI;
+
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyLoader;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.jena.ontology.OntModel;
+import org.apache.jena.query.ParameterizedSparqlString;
+import org.apache.jena.query.QueryExecution;
+import org.apache.jena.query.QueryExecutionFactory;
+import org.apache.jena.query.QuerySolution;
+import org.apache.jena.query.ResultSet;
+
+public class SimplePermissionMigrator {
+
+    private static final Log log = LogFactory.getLog(SimplePermissionMigrator.class);
+
+    private OntModel userAccountsModel;
+
+    private String PERMISSION_SETS_QUERY = ""
+            + "prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#>\n"
+            + "SELECT ?uri \n"
+            + "WHERE {\n"
+            + "  ?uri a auth:PermissionSet . \n"
+            + "}";
+
+    private String ROLE_PERMISSIONS_QUERY = ""
+            + "prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#>\n"
+            + "SELECT ?permission \n"
+            + "WHERE {\n"
+            + "  ?role a auth:PermissionSet . \n"
+            + "  ?role auth:hasPermission ?permission .\n"
+            + "  FILTER (strstarts(str(?permission), "
+            + "'java:edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission#'))"
+            + "}";
+
+    private Map<String, Set<String>> roleMap;
+
+    public SimplePermissionMigrator(OntModel userAccountsModel) {
+        this.userAccountsModel = userAccountsModel;
+        roleMap = new HashMap<>();
+        roleMap.put(ROLE_ADMIN_URI, ALL_ROLES);
+        roleMap.put(ROLE_CURATOR_URI, new HashSet<String>(
+                Arrays.asList(ROLE_CURATOR_URI, ROLE_EDITOR_URI, ROLE_SELF_EDITOR_URI, ROLE_PUBLIC_URI)));
+        roleMap.put(ROLE_EDITOR_URI,
+                new HashSet<String>(Arrays.asList(ROLE_EDITOR_URI, ROLE_SELF_EDITOR_URI, ROLE_PUBLIC_URI)));
+        roleMap.put(ROLE_SELF_EDITOR_URI, new HashSet<String>(Arrays.asList(ROLE_SELF_EDITOR_URI, ROLE_PUBLIC_URI)));
+        roleMap.put(ROLE_PUBLIC_URI, new HashSet<String>(Arrays.asList(ROLE_PUBLIC_URI)));
+    }
+
+    public void migrateConfiguration() {
+        Set<String> roles = getPermissionSets();
+        if (!roles.containsAll(AuthMigrator.ALL_ROLES)) {
+            log.error("Roles not found. Simple permission migration failed.");
+            return;
+        }
+        migrateRoles(roles);
+    }
+
+    private void migrateRoles(Set<String> roles) {
+        PolicyLoader policyLoader = PolicyLoader.getInstance();
+        for (String role : roles) {
+            // get all simple permissions for role
+            Set<String> policyPermissions =
+                    policyLoader.getDataSetValues(AccessOperation.EXECUTE, AccessObjectType.NAMED_OBJECT, role);
+            // Compare with simple permissions in access control graph
+            Set<String> userAccountsPermissions = getUserAccountPermissions(role);
+            Set<String> toRevoke = new HashSet<>(policyPermissions);
+            toRevoke.removeAll(userAccountsPermissions);
+            Set<String> toGrant = new HashSet<>(userAccountsPermissions);
+            toGrant.removeAll(policyPermissions);
+            for (String entityUri : toGrant) {
+                policyLoader.addEntityToPolicyDataSet(entityUri, AccessObjectType.NAMED_OBJECT, AccessOperation.EXECUTE,
+                        role);
+                log.info(String.format("Allow role %s to %s ", getShortName(role), getShortName(entityUri)));
+            }
+            for (String entityUri : toRevoke) {
+                policyLoader.removeEntityFromPolicyDataSet(entityUri, AccessObjectType.NAMED_OBJECT,
+                        AccessOperation.EXECUTE, role);
+                log.info(String.format("Disallow role %s to %s ", getShortName(role), getShortName(entityUri)));
+            }
+        }
+    }
+
+    private static String getShortName(String entityUri) {
+        return entityUri.substring(entityUri.lastIndexOf('#') + 1);
+    }
+
+    Set<String> getPermissionSets() {
+        Set<String> permissionSets = new HashSet<>();
+        String queryText = PERMISSION_SETS_QUERY;
+        userAccountsModel.enterCriticalSection(false);
+        try {
+            QueryExecution qexec = QueryExecutionFactory.create(queryText, userAccountsModel);
+            try {
+                ResultSet results = qexec.execSelect();
+                while (results.hasNext()) {
+                    QuerySolution qs = results.next();
+                    String entity = qs.getResource("uri").getURI();
+                    permissionSets.add(entity);
+                }
+            } finally {
+                qexec.close();
+            }
+        } finally {
+            userAccountsModel.leaveCriticalSection();
+        }
+        return permissionSets;
+    }
+
+    Set<String> getUserAccountPermissions(String role) {
+        Set<String> permissions = new HashSet<>();
+        if (AuthMigrator.ALL_ROLES.contains(role)) {
+            for (String standardRole : roleMap.get(role)) {
+                populateUserAccountPermissions(standardRole, permissions);
+            }
+        } else {
+            populateUserAccountPermissions(role, permissions);
+        }
+        return permissions;
+    }
+
+    private void populateUserAccountPermissions(String role, Set<String> permissions) {
+        ParameterizedSparqlString pss = new ParameterizedSparqlString(ROLE_PERMISSIONS_QUERY);
+        pss.setIri("role", role);
+        String queryText = pss.toString();
+        userAccountsModel.enterCriticalSection(false);
+        try {
+            QueryExecution qexec = QueryExecutionFactory.create(queryText, userAccountsModel);
+            try {
+                ResultSet results = qexec.execSelect();
+                while (results.hasNext()) {
+                    QuerySolution qs = results.next();
+                    String entity = qs.getResource("permission").getURI();
+                    permissions.add(entity);
+                }
+            } finally {
+                qexec.close();
+            }
+        } finally {
+            userAccountsModel.leaveCriticalSection();
+        }
+    }
+}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modelaccess/ModelAccess.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modelaccess/ModelAccess.java
index def4d22a6c..38cc387fcc 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modelaccess/ModelAccess.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modelaccess/ModelAccess.java
@@ -165,15 +165,9 @@ public static boolean isPresent(HttpServletRequest req) {
 		return (req.getAttribute(ATTRIBUTE_NAME) instanceof RequestModelAccess);
 	}
 
+	@Deprecated
 	public static ContextModelAccess on(ServletContext ctx) {
-		Object o = ctx.getAttribute(ATTRIBUTE_NAME);
-		if (o instanceof ContextModelAccess) {
-			return (ContextModelAccess) o;
-		} else {
-			ContextModelAccess access = factory.buildContextModelAccess(ctx);
-			ctx.setAttribute(ATTRIBUTE_NAME, access);
-			return access;
-		}
+	    return getInstance();
 	}
 
 	// ----------------------------------------------------------------------
@@ -181,9 +175,14 @@ public static ContextModelAccess on(ServletContext ctx) {
 	// ----------------------------------------------------------------------
 
 	public static class ModelAccessFactory {
-		public ContextModelAccess buildContextModelAccess(ServletContext ctx) {
-			return new ContextModelAccessImpl(ctx, combinedTripleSource);
-		}
+	    @Deprecated
+        public ContextModelAccess buildContextModelAccess(ServletContext ctx) {
+            return getInstance();
+        }
+	    @Deprecated
+        public ContextModelAccess buildContextModelAccess() {
+            return getInstance();
+        }
 
 		/**
 		 * Note that the RequestModelAccess must be closed when the request
@@ -194,4 +193,17 @@ public RequestModelAccess buildRequestModelAccess(HttpServletRequest req) {
 					combinedTripleSource.getShortTermCombinedTripleSource(req));
 		}
 	}
+	
+    private static ContextModelAccess INSTANCE;
+
+    public static ContextModelAccess getInstance() {
+        if (INSTANCE == null) {
+            INSTANCE = new ContextModelAccessImpl(combinedTripleSource);
+        }
+        return INSTANCE;
+    }
+
+    public static void setInstance(ContextModelAccess cma) {
+        INSTANCE = cma;
+    }
 }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modelaccess/ModelNames.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modelaccess/ModelNames.java
index d3295234bd..dfe42b22b3 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modelaccess/ModelNames.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modelaccess/ModelNames.java
@@ -36,6 +36,8 @@ public class ModelNames {
 	public static final String DISPLAY_DISPLAY_FIRSTTIME_BACKUP = DISPLAY_DISPLAY + "FirsttimeBackup";
 	public static final String INTERFACE_I18N = "http://vitro.mannlib.cornell.edu/default/interface-i18n";
 	public static final String INTERFACE_I18N_FIRSTTIME_BACKUP = INTERFACE_I18N + "FirsttimeBackup";
+	public static final String ACCESS_CONTROL = "http://vitro.mannlib.cornell.edu/default/access-control";
+	public static final String ACCESS_CONTROL_FIRSTTIME_BACKUP = ACCESS_CONTROL + "FirsttimeBackup";
 
 
 
@@ -70,7 +72,8 @@ private static Map<String, String> populateNamesMap() {
 		map.put("DISPLAY_DISPLAY_FIRSTTIME_BACKUP", DISPLAY_DISPLAY_FIRSTTIME_BACKUP);
 		map.put("INTERFACE_I18N", INTERFACE_I18N);
 		map.put("INTERFACE_I18N_FIRSTTIME_BACKUP", INTERFACE_I18N_FIRSTTIME_BACKUP);
-
+		map.put("INTERFACE_I18N", ACCESS_CONTROL);
+		map.put("INTERFACE_I18N_FIRSTTIME_BACKUP", ACCESS_CONTROL_FIRSTTIME_BACKUP);
 		return Collections.unmodifiableMap(map);
 	}
 
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modelaccess/impl/ContextModelAccessImpl.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modelaccess/impl/ContextModelAccessImpl.java
index 2e39935614..b74638a0b3 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modelaccess/impl/ContextModelAccessImpl.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modelaccess/impl/ContextModelAccessImpl.java
@@ -24,8 +24,6 @@
 import java.util.EnumMap;
 import java.util.Map;
 
-import javax.servlet.ServletContext;
-
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
@@ -85,9 +83,8 @@ public class ContextModelAccessImpl implements ContextModelAccess {
 	 * because we may not know the names of all of the models that will be
 	 * requested.
 	 */
-	public ContextModelAccessImpl(ServletContext ctx,
-			CombinedTripleSource factory) {
-		this.props = ConfigurationProperties.getBean(ctx);
+	public ContextModelAccessImpl(CombinedTripleSource factory) {
+		this.props = ConfigurationProperties.getInstance();
 		this.factory = factory;
 
 		this.ontModelCache = factory.getOntModelCache();
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modelaccess/impl/RequestModelAccessImpl.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modelaccess/impl/RequestModelAccessImpl.java
index 63d70691cc..64e1e49fe8 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modelaccess/impl/RequestModelAccessImpl.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modelaccess/impl/RequestModelAccessImpl.java
@@ -23,7 +23,7 @@
 import org.apache.jena.query.Dataset;
 
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.RequestIdentifiers;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyStore;
 import edu.cornell.mannlib.vitro.webapp.config.ConfigurationProperties;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
@@ -340,8 +340,7 @@ private WebappDaoFactory createWebappDaoFactory(WebappDaoFactoryKey key) {
 
 	private WebappDaoFactory addPolicyAwareness(WebappDaoFactory unaware) {
 		HideFromDisplayByPolicyFilter filter = new HideFromDisplayByPolicyFilter(
-				RequestIdentifiers.getIdBundleForRequest(req),
-				ServletPolicyList.getPolicies(ctx));
+				RequestIdentifiers.getIdBundleForRequest(req));
 		return new WebappDaoFactoryFiltering(unaware, filter);
 	}
 
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modules/tripleSource/ConfigurationTripleSource.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modules/tripleSource/ConfigurationTripleSource.java
index 06f141e7d6..1d64f9ad04 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modules/tripleSource/ConfigurationTripleSource.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/modules/tripleSource/ConfigurationTripleSource.java
@@ -15,6 +15,8 @@
 import static edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames.DISPLAY_DISPLAY_FIRSTTIME_BACKUP;
 import static edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames.INTERFACE_I18N ;
 import static edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames.INTERFACE_I18N_FIRSTTIME_BACKUP;
+import static edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames.ACCESS_CONTROL;
+import static edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames.ACCESS_CONTROL_FIRSTTIME_BACKUP;
 
 
 
@@ -42,6 +44,8 @@ public abstract class ConfigurationTripleSource implements TripleSource {
 			DISPLAY_DISPLAY_FIRSTTIME_BACKUP, 
 			INTERFACE_I18N,
 			INTERFACE_I18N_FIRSTTIME_BACKUP,
+			ACCESS_CONTROL, 
+			ACCESS_CONTROL_FIRSTTIME_BACKUP,
 	};
 
 	/**
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/search/controller/IndexController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/search/controller/IndexController.java
index 086f4530d6..8ac3515887 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/search/controller/IndexController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/search/controller/IndexController.java
@@ -19,7 +19,6 @@
 import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.FreemarkerHttpServlet;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.UrlBuilder;
@@ -82,7 +81,7 @@ private static boolean hasParameter(HttpServletRequest req, String key) {
 	private static final String PAGE_TEMPLATE_NAME = "searchIndex.ftl";
 	private static final String STATUS_TEMPLATE_NAME = "searchIndexStatus.ftl";
 
-	public static final RequestedAction REQUIRED_ACTIONS = SimplePermission.MANAGE_SEARCH_INDEX.ACTION;
+	public static final AuthorizationRequest REQUIRED_ACTIONS = SimplePermission.MANAGE_SEARCH_INDEX.ACTION;
 
 	private SearchIndexer indexer;
 	private static IndexHistory history;
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/servlet/setup/ConfigurationModelsSetup.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/servlet/setup/ConfigurationModelsSetup.java
index 564b9645f9..8972e36837 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/servlet/setup/ConfigurationModelsSetup.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/servlet/setup/ConfigurationModelsSetup.java
@@ -6,6 +6,7 @@
 import static edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames.DISPLAY_DISPLAY;
 import static edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames.DISPLAY_TBOX;
 import static edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames.USER_ACCOUNTS;
+import static edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames.ACCESS_CONTROL;
 import static edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames.INTERFACE_I18N;
 
 import javax.servlet.ServletContext;
@@ -40,6 +41,7 @@ public void contextInitialized(ServletContextEvent sce) {
 			setupModel(ctx, DISPLAY_TBOX, "displayTbox");
 			setupModel(ctx, DISPLAY_DISPLAY, "displayDisplay");
 			setupModel(ctx, USER_ACCOUNTS, "auth");
+			setupModel(ctx, ACCESS_CONTROL, "accessControl");
 			setupModel(ctx, INTERFACE_I18N, "interface-i18n");
 			ss.info(this, "Set up the display models and the user accounts model.");
 		} catch (Exception e) {
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/jsptags/ConfirmAuthorization.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/jsptags/ConfirmAuthorization.java
index 12aa5df724..ad1b42ccc2 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/jsptags/ConfirmAuthorization.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/jsptags/ConfirmAuthorization.java
@@ -2,8 +2,6 @@
 
 package edu.cornell.mannlib.vitro.webapp.web.jsptags;
 
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest.AUTHORIZED;
-
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.jsp.JspException;
@@ -15,7 +13,6 @@
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroHttpServlet;
 
 /**
@@ -64,18 +61,11 @@ private AuthorizationRequest getActionsFromRequestAttribute() {
 		getRequest().removeAttribute("requestedActions");
 
 		if (attribute == null) {
-			return AUTHORIZED;
-		} else if (attribute instanceof RequestedAction) {
-			RequestedAction ra = (RequestedAction) attribute;
+			return AuthorizationRequest.AUTHORIZED;
+		} else if (attribute instanceof AuthorizationRequest) {
+		    AuthorizationRequest ra = (AuthorizationRequest) attribute;
 			log.debug("requested action was " + ra.getClass().getSimpleName());
 			return ra;
-		} else if (attribute instanceof RequestedAction[]) {
-			AuthorizationRequest auth = AUTHORIZED;
-			for (RequestedAction ra : (RequestedAction[]) attribute) {
-				auth = auth.and(ra);
-			}
-			log.debug("requested actions were " + auth);
-			return auth;
 		} else {
 			throw new IllegalStateException(
 					"Expected request.getAttribute(\"requestedActions\") "
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/BaseIndividualTemplateModel.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/BaseIndividualTemplateModel.java
index 6ebd52ebc1..4bc447ee23 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/BaseIndividualTemplateModel.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/BaseIndividualTemplateModel.java
@@ -2,9 +2,8 @@
 
 package edu.cornell.mannlib.vitro.webapp.web.templatemodels.individual;
 
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_LITERAL;
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_PREDICATE;
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_URI;
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_PREDICATE;
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_URI;
 
 import java.util.Collection;
 import java.util.Iterator;
@@ -18,10 +17,11 @@
 import org.apache.commons.logging.LogFactory;
 
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddDataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropertyStatement;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest;
 import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.beans.VClass;
@@ -119,13 +119,9 @@ public GroupedPropertyList getPropertyList() {
 	 * an object property to the Individual being shown.
 	 */
     public boolean isEditable() {
-		AddDataPropertyStatement adps = new AddDataPropertyStatement(
-				vreq.getJenaOntModel(), individual.getURI(),
-				SOME_URI, SOME_LITERAL);
-		AddObjectPropertyStatement aops = new AddObjectPropertyStatement(
-				vreq.getJenaOntModel(), individual.getURI(),
-				SOME_PREDICATE, SOME_URI);
-    	return PolicyHelper.isAuthorizedForActions(vreq, adps.or(aops));
+        ObjectPropertyStatementAccessObject aops = new ObjectPropertyStatementAccessObject(vreq.getJenaOntModel(), individual.getURI(), SOME_PREDICATE, SOME_URI);
+        SimpleAuthorizationRequest editSomeObjectProperty = new SimpleAuthorizationRequest(aops, AccessOperation.EDIT);
+        return PolicyHelper.isAuthorizedForActions(vreq, editSomeObjectProperty);
     }
 
     public boolean getShowAdminPanel() {
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/DataPropertyStatementTemplateModel.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/DataPropertyStatementTemplateModel.java
index 0040aed232..1342cc0289 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/DataPropertyStatementTemplateModel.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/DataPropertyStatementTemplateModel.java
@@ -7,10 +7,11 @@
 
 import org.apache.jena.rdf.model.Literal;
 
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.FauxDataPropertyStatementAccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropDataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditDataPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatementImpl;
 import edu.cornell.mannlib.vitro.webapp.beans.Property;
@@ -46,17 +47,27 @@ public DataPropertyStatementTemplateModel(String subjectUri, Property property,
 	private String makeDeleteUrl() {
         // Determine whether the statement can be deleted
 		DataPropertyStatement dps = makeStatement();
-        RequestedAction action = new DropDataPropertyStatement(vreq.getJenaOntModel(), dps);
-        if ( ! PolicyHelper.isAuthorizedForActions(vreq, action) ) {
+        AccessObject ao;
+        if (isFaux()) {
+            ao = new FauxDataPropertyStatementAccessObject(vreq.getJenaOntModel(), subjectUri, fauxProperty, literalValue.getLexicalForm());
+        } else {
+            ao = new DataPropertyStatementAccessObject(vreq.getJenaOntModel(), dps);
+        }
+        
+        if ( ! PolicyHelper.isAuthorizedForActions(vreq, ao, AccessOperation.DROP) ) {
             return "";
         }
-
+        
         ParamMap params = new ParamMap(
                 "subjectUri", subjectUri,
                 "predicateUri", property.getURI(),
                 "datapropKey", makeHash(dps),
                 "cmd", "delete");
 
+        if (isFaux()) {
+            params.put("fauxContextUri",fauxProperty.getContextUri());
+        }
+        
         params.put("templateName", templateName);
         params.putAll(UrlBuilder.getModelParams(vreq));
 
@@ -72,8 +83,14 @@ private String makeEditUrl() {
 
         // Determine whether the statement can be edited
 		DataPropertyStatement dps = makeStatement();
-        RequestedAction action = new EditDataPropertyStatement(vreq.getJenaOntModel(), dps);
-        if ( ! PolicyHelper.isAuthorizedForActions(vreq, action) ) {
+        AccessObject ao;
+        if (isFaux()) {
+            ao = new FauxDataPropertyStatementAccessObject(vreq.getJenaOntModel(), subjectUri, fauxProperty, literalValue.getLexicalForm());
+        } else {
+            ao = new DataPropertyStatementAccessObject(vreq.getJenaOntModel(), dps);
+        }
+		
+        if ( ! PolicyHelper.isAuthorizedForActions(vreq, ao, AccessOperation.EDIT) ) {
             return "";
         }
 
@@ -82,6 +99,10 @@ private String makeEditUrl() {
                 "predicateUri", property.getURI(),
                 "datapropKey", makeHash(dps));
 
+        if (isFaux()) {
+            params.put("fauxContextUri",fauxProperty.getContextUri());
+        }
+        
         if ( deleteUrl.isEmpty() ) {
             params.put("deleteProhibited", "prohibited");
         }
@@ -92,7 +113,8 @@ private String makeEditUrl() {
 	}
 
 	private DataPropertyStatement makeStatement() {
-		DataPropertyStatement dps = new DataPropertyStatementImpl(subjectUri, property.getURI(), literalValue.getLexicalForm());
+		DataPropertyStatement dps;
+		dps = new DataPropertyStatementImpl(subjectUri, property.getURI(), literalValue.getLexicalForm());	
 		// Language and datatype are needed to get the correct hash value
 		dps.setLanguage(literalValue.getLanguage());
 		dps.setDatatypeURI(literalValue.getDatatypeURI());
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/DataPropertyTemplateModel.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/DataPropertyTemplateModel.java
index 8e0e3f3b20..0e805fb15a 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/DataPropertyTemplateModel.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/DataPropertyTemplateModel.java
@@ -2,7 +2,7 @@
 
 package edu.cornell.mannlib.vitro.webapp.web.templatemodels.individual;
 
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_LITERAL;
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_LITERAL;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -14,9 +14,11 @@
 
 import org.apache.jena.rdf.model.Literal;
 
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.FauxDataPropertyStatementAccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddDataPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.beans.Property;
@@ -91,7 +93,7 @@ public String toString() {
         // If the property is populated, get the data property statements via a sparql query
         if (populatedDataPropertyList.contains(dp)) {
             log.debug("Getting data for populated data property " + getUri());
-            DataPropertyStatementDao dpDao = vreq.getWebappDaoFactory().getDataPropertyStatementDao();
+            DataPropertyStatementDao dpDao = vreq.getUnfilteredWebappDaoFactory().getDataPropertyStatementDao();
             List<Literal> values = dpDao.getDataPropertyValuesForIndividualByProperty(subject, dp, queryString, constructQueries);
             for (Literal value : values) {
                 statements.add(new DataPropertyStatementTemplateModel(subjectUri, dp, value, getTemplateName(), vreq));
@@ -101,11 +103,11 @@ public String toString() {
         }
 
         if ( editing ) {
-        	setAddUrl(dp);
+        	setAddUrl();
         }
     }
 
-    protected void setAddUrl(Property property) {
+    protected void setAddUrl() {
 
         DataProperty dp = (DataProperty) property;
         // NIHVIVO-2790 vitro:moniker now included in the display, but don't allow new statements
@@ -131,15 +133,26 @@ protected void setAddUrl(Property property) {
 		}
 
         // Determine whether a new statement can be added
-		RequestedAction action = new AddDataPropertyStatement(
-				vreq.getJenaOntModel(), subjectUri, propertyUri, SOME_LITERAL);
-        if ( ! PolicyHelper.isAuthorizedForActions(vreq, action) ) {
+		String fauxContextUri = null;
+		AccessObject action;
+		if (isFaux()){
+			fauxContextUri = fauxProperty.getContextUri();
+			action = new FauxDataPropertyStatementAccessObject(
+					vreq.getJenaOntModel(), subjectUri, fauxProperty, SOME_LITERAL);
+		} else {
+			action = new DataPropertyStatementAccessObject(vreq.getJenaOntModel(), subjectUri, dp, SOME_LITERAL);
+		}
+        if ( ! PolicyHelper.isAuthorizedForActions(vreq, action, AccessOperation.ADD) ) {
             return;
         }
 
         ParamMap params = new ParamMap(
                 "subjectUri", subjectUri,
                 "predicateUri", propertyUri);
+        
+        if (fauxContextUri != null) {
+            params.put("fauxContextUri", fauxContextUri);
+        }
 
         params.putAll(UrlBuilder.getModelParams(vreq));
 
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/FauxDataPropertyWrapper.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/FauxDataPropertyWrapper.java
index 556381af35..ea583fe9de 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/FauxDataPropertyWrapper.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/FauxDataPropertyWrapper.java
@@ -329,4 +329,9 @@ public String getContextUri() {
 		return faux.getContextUri();
 	}
 
+	@Override
+	public String getConfigUri() {
+		return faux.getConfigUri();
+	}
+
 }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/FauxObjectPropertyWrapper.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/FauxObjectPropertyWrapper.java
index e0425861ad..72c49cbe0b 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/FauxObjectPropertyWrapper.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/FauxObjectPropertyWrapper.java
@@ -555,51 +555,6 @@ public void setLocalNameWithPrefix(String prefixedLocalName) {
 		innerOP.setLocalNameWithPrefix(prefixedLocalName);
 	}
 
-	@Override
-	public RoleLevel getHiddenFromDisplayBelowRoleLevel() {
-		return innerOP.getHiddenFromDisplayBelowRoleLevel();
-	}
-
-	@Override
-	public void setHiddenFromDisplayBelowRoleLevel(RoleLevel level) {
-		innerOP.setHiddenFromDisplayBelowRoleLevel(level);
-	}
-
-	@Override
-	public void setHiddenFromDisplayBelowRoleLevelUsingRoleUri(String roleUri) {
-		innerOP.setHiddenFromDisplayBelowRoleLevelUsingRoleUri(roleUri);
-	}
-
-	@Override
-	public RoleLevel getProhibitedFromUpdateBelowRoleLevel() {
-		return innerOP.getProhibitedFromUpdateBelowRoleLevel();
-	}
-
-	@Override
-	public void setProhibitedFromUpdateBelowRoleLevel(RoleLevel level) {
-		innerOP.setProhibitedFromUpdateBelowRoleLevel(level);
-	}
-
-	@Override
-	public void setProhibitedFromUpdateBelowRoleLevelUsingRoleUri(String roleUri) {
-		innerOP.setProhibitedFromUpdateBelowRoleLevelUsingRoleUri(roleUri);
-	}
-
-	@Override
-	public RoleLevel getHiddenFromPublishBelowRoleLevel() {
-		return innerOP.getHiddenFromPublishBelowRoleLevel();
-	}
-
-	@Override
-	public void setHiddenFromPublishBelowRoleLevel(RoleLevel level) {
-		innerOP.setHiddenFromPublishBelowRoleLevel(level);
-	}
-
-	@Override
-	public void setHiddenFromPublishBelowRoleLevelUsingRoleUri(String roleUri) {
-		innerOP.setHiddenFromPublishBelowRoleLevelUsingRoleUri(roleUri);
-	}
-
 	@Override
 	public int hashCode() {
 		final int prime = 31;
@@ -664,4 +619,9 @@ public String getContextUri() {
 		return faux.getContextUri();
 	}
 
+	@Override
+	public String getConfigUri() {
+		return faux.getConfigUri();
+	}
+
 }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/FauxPropertyWrapper.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/FauxPropertyWrapper.java
index 4f3222f903..a8d9cd3a9c 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/FauxPropertyWrapper.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/FauxPropertyWrapper.java
@@ -7,4 +7,6 @@ public interface FauxPropertyWrapper {
 	public FauxProperty getFauxProperty();
 	
 	public String getContextUri();
+	
+	public String getConfigUri();
 }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/NameStatementTemplateModel.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/NameStatementTemplateModel.java
index dca2796286..2c413481aa 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/NameStatementTemplateModel.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/NameStatementTemplateModel.java
@@ -7,9 +7,10 @@
 
 import org.apache.jena.rdf.model.Literal;
 
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyStatementAccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditDataPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatementImpl;
 import edu.cornell.mannlib.vitro.webapp.beans.Individual;
@@ -63,8 +64,8 @@ public class NameStatementTemplateModel extends PropertyStatementTemplateModel {
 	private String makeEditUrl(Literal literal) {
         // Determine whether the statement can be edited
         DataPropertyStatement dps = makeStatement(literal);
-        RequestedAction action = new EditDataPropertyStatement(vreq.getJenaOntModel(), dps);
-        if ( ! PolicyHelper.isAuthorizedForActions(vreq, action) ) {
+        AccessObject action = new DataPropertyStatementAccessObject(vreq.getJenaOntModel(), dps);
+        if ( ! PolicyHelper.isAuthorizedForActions(vreq, action, AccessOperation.EDIT) ) {
             return "";
         }
 
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/ObjectPropertyStatementTemplateModel.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/ObjectPropertyStatementTemplateModel.java
index da38f6ce90..3df574bdb7 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/ObjectPropertyStatementTemplateModel.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/ObjectPropertyStatementTemplateModel.java
@@ -9,10 +9,11 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.FauxObjectPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditObjectPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.UrlBuilder;
@@ -50,11 +51,14 @@ private String makeDeleteUrl() {
     	if (property.isDeleteLinkSuppressed()) {
     		return "";
     	}
-
+    	AccessObject ao;
         // Determine whether the statement can be deleted
-		RequestedAction action = new DropObjectPropertyStatement(
-				vreq.getJenaOntModel(), subjectUri, property, objectUri);
-        if ( ! PolicyHelper.isAuthorizedForActions(vreq, action) ) {
+    	if (isFaux()) {
+            ao = new FauxObjectPropertyStatementAccessObject(vreq.getJenaOntModel(), subjectUri, fauxProperty, objectUri);
+        } else {
+            ao = new ObjectPropertyStatementAccessObject(vreq.getJenaOntModel(), subjectUri, property, objectUri);
+        }
+        if ( ! PolicyHelper.isAuthorizedForActions(vreq, ao, AccessOperation.DROP) ) {
             return "";
         }
 
@@ -73,6 +77,10 @@ private String makeDeleteUrl() {
                 "cmd", "delete",
                 "objectKey", objectKey);
 
+        if (isFaux()) {
+            params.put("fauxContextUri", fauxProperty.getContextUri());
+        }
+
         for ( String key : data.keySet() ) {
             String value = data.get(key);
             // Remove an entry with a null value instead of letting it get passed
@@ -105,8 +113,13 @@ private String makeEditUrl() {
     	}
 
        // Determine whether the statement can be edited
-        RequestedAction action =  new EditObjectPropertyStatement(vreq.getJenaOntModel(), subjectUri, property, objectUri);
-        if ( ! PolicyHelper.isAuthorizedForActions(vreq, action) ) {
+    	AccessObject ao;
+        if (isFaux()) {
+            ao = new FauxObjectPropertyStatementAccessObject(vreq.getJenaOntModel(), subjectUri, fauxProperty, objectUri);
+        } else {
+            ao = new ObjectPropertyStatementAccessObject(vreq.getJenaOntModel(), subjectUri, property, objectUri);
+        }
+        if ( ! PolicyHelper.isAuthorizedForActions(vreq, ao, AccessOperation.EDIT) ) {
             return "";
         }
 
@@ -123,6 +136,10 @@ private String makeEditUrl() {
                 "predicateUri", property.getURI(),
                 "objectUri", objectUri);
 
+        if (isFaux()) {
+            params.put("fauxContextUri", fauxProperty.getContextUri());
+        }
+        
         if ( deleteUrl.isEmpty() ) {
             params.put("deleteProhibited", "prohibited");
         }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/ObjectPropertyTemplateModel.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/ObjectPropertyTemplateModel.java
index bb6e69bdc6..041d4bf292 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/ObjectPropertyTemplateModel.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/ObjectPropertyTemplateModel.java
@@ -2,7 +2,7 @@
 
 package edu.cornell.mannlib.vitro.webapp.web.templatemodels.individual;
 
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_URI;
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_URI;
 
 import java.util.ArrayList;
 import java.util.Iterator;
@@ -16,9 +16,11 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.FauxObjectPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.Property;
@@ -109,20 +111,25 @@ public String toString() {
         objectKey = getQueryObjectVariableName();
 
         if (editing) {
-        	setAddUrl(op);
+        	setAddUrl();
         }
     }
 
-    protected void setAddUrl(Property property) {
+    protected void setAddUrl() {
     	// Is the add link suppressed for this property?
     	if (property.isAddLinkSuppressed()) {
     		return;
     	}
 
         // Determine whether a new statement can be added
-		RequestedAction action = new AddObjectPropertyStatement(
-				vreq.getJenaOntModel(), subjectUri, property, SOME_URI);
-        if ( ! PolicyHelper.isAuthorizedForActions(vreq, action) ) {
+		AccessObject ao; 
+		if (isFaux()) {
+		    ao = new FauxObjectPropertyStatementAccessObject(vreq.getJenaOntModel(), subjectUri, fauxProperty, SOME_URI);
+		} else {
+	        ao = new ObjectPropertyStatementAccessObject(vreq.getJenaOntModel(), subjectUri, property, SOME_URI);
+		}
+		
+        if ( ! PolicyHelper.isAuthorizedForActions(vreq, ao, AccessOperation.ADD) ) {
             return;
         }
 
@@ -138,6 +145,11 @@ protected void setAddUrl(Property property) {
             ParamMap params = new ParamMap(
                     "subjectUri", subjectUri,
                     "predicateUri", propertyUri);
+    		
+            if (isFaux()){
+                String fauxPropertyContextUri = fauxProperty.getContextUri();
+                params.put("fauxContextUri", fauxPropertyContextUri);
+            } 
 
             if (domainUri != null) {
                 params.put("domainUri", domainUri);
@@ -168,6 +180,11 @@ protected List<Map<String, String>> getStatementData() {
         ObjectPropertyStatementDao opDao = vreq.getWebappDaoFactory().getObjectPropertyStatementDao();
         return opDao.getObjectPropertyStatementsForIndividualByProperty(subjectUri, propertyUri, objectKey, domainUri, rangeUri, getSelectQuery(), getConstructQueries(), sortDirection);
     }
+    
+    protected List<Map<String, String>> getUnfilteredStatementData() {
+        ObjectPropertyStatementDao opDao = vreq.getUnfilteredWebappDaoFactory().getObjectPropertyStatementDao();
+        return opDao.getObjectPropertyStatementsForIndividualByProperty(subjectUri, propertyUri, objectKey, domainUri, rangeUri, getSelectQuery(), getConstructQueries(), sortDirection);
+    }
 
     protected abstract boolean isEmpty();
 
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyGroupTemplateModel.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyGroupTemplateModel.java
index 5c8ec1d2a2..44b73d5b70 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyGroupTemplateModel.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyGroupTemplateModel.java
@@ -2,8 +2,8 @@
 
 package edu.cornell.mannlib.vitro.webapp.web.templatemodels.individual;
 
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_LITERAL;
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_URI;
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_LITERAL;
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_URI;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -11,14 +11,19 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.FauxDataPropertyAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.FauxDataPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.FauxObjectPropertyAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.FauxObjectPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataProperty;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectProperty;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
-import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatementImpl;
+import edu.cornell.mannlib.vitro.webapp.beans.FauxProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.Property;
@@ -33,8 +38,6 @@ public class PropertyGroupTemplateModel extends BaseTemplateModel {
     private final String name;
     private final List<PropertyTemplateModel> properties;
 
-
-
     PropertyGroupTemplateModel(VitroRequest vreq, PropertyGroup group,
             Individual subject, boolean editing,
             List<DataProperty> populatedDataPropertyList,
@@ -73,35 +76,48 @@ public class PropertyGroupTemplateModel extends BaseTemplateModel {
 	 * See if the property is permitted in its own right. If not, the property
 	 * statement might still be permitted to a self-editor.
 	 */
-	private boolean allowedToDisplay(VitroRequest vreq, ObjectProperty op,
-			Individual subject) {
-		RequestedAction dop = new DisplayObjectProperty(op);
-		if (PolicyHelper.isAuthorizedForActions(vreq, dop)) {
+	private boolean allowedToDisplay(VitroRequest vreq, ObjectProperty op, Individual subject) {
+	    AccessObject ao;
+	    if (op instanceof FauxObjectPropertyWrapper) {
+	        ao = new FauxObjectPropertyAccessObject(op);
+	    } else {
+	        ao = new ObjectPropertyAccessObject(op);    
+	    }
+		if (PolicyHelper.isAuthorizedForActions(vreq, ao, AccessOperation.DISPLAY)) {
 			return true;
 		}
-
-		RequestedAction dops = new DisplayObjectPropertyStatement(
-				subject.getURI(), op, SOME_URI);
-        return PolicyHelper.isAuthorizedForActions(vreq, dops);
-
+        //TODO: Model should be here to correctly check authorization
+		if (op instanceof FauxObjectPropertyWrapper) {
+			final FauxProperty fauxProperty = ((FauxObjectPropertyWrapper) op).getFauxProperty();
+            ao = new FauxObjectPropertyStatementAccessObject(null, subject.getURI(), fauxProperty, SOME_URI);
+		} else {
+			ao = new ObjectPropertyStatementAccessObject(null, subject.getURI(), op, SOME_URI);
+		}
+		return PolicyHelper.isAuthorizedForActions(vreq, ao, AccessOperation.DISPLAY);
     }
 
 	/**
 	 * See if the property is permitted in its own right. If not, the property
 	 * statement might still be permitted to a self-editor.
 	 */
-	private boolean allowedToDisplay(VitroRequest vreq, DataProperty dp,
-			Individual subject) {
-		RequestedAction dop = new DisplayDataProperty(dp);
-		if (PolicyHelper.isAuthorizedForActions(vreq, dop)) {
+	private boolean allowedToDisplay(VitroRequest vreq, DataProperty dp, Individual subject) {
+        AccessObject ao;
+        if (dp instanceof FauxDataPropertyWrapper) {
+            ao = new FauxDataPropertyAccessObject(dp);
+        } else {
+            ao = new DataPropertyAccessObject(dp);    
+        }
+		if (PolicyHelper.isAuthorizedForActions(vreq, ao, AccessOperation.DISPLAY)) {
 			return true;
 		}
-
-		DataPropertyStatementImpl dps = new DataPropertyStatementImpl(
-				subject.getURI(), dp.getURI(), SOME_LITERAL);
-		RequestedAction dops = new DisplayDataPropertyStatement(dps);
-        return PolicyHelper.isAuthorizedForActions(vreq, dops);
-
+        //TODO: Model should be here to correctly check authorization
+		if (dp instanceof FauxDataPropertyWrapper) {
+		    final FauxProperty fauxProperty = ((FauxDataPropertyWrapper) dp).getFauxProperty();
+			ao = new FauxDataPropertyStatementAccessObject(null, subject.getURI(), fauxProperty, SOME_LITERAL);
+		} else {
+			ao = new DataPropertyStatementAccessObject(null, subject.getURI(), dp, SOME_LITERAL);
+		}
+        return PolicyHelper.isAuthorizedForActions(vreq, ao, AccessOperation.DISPLAY);	
     }
 
 	protected boolean isEmpty() {
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyStatementTemplateModel.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyStatementTemplateModel.java
index 6ca8296edb..86e3b89d7f 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyStatementTemplateModel.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyStatementTemplateModel.java
@@ -2,6 +2,7 @@
 
 package edu.cornell.mannlib.vitro.webapp.web.templatemodels.individual;
 
+import edu.cornell.mannlib.vitro.webapp.beans.FauxProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.Property;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.web.templatemodels.BaseTemplateModel;
@@ -12,11 +13,16 @@ public abstract class PropertyStatementTemplateModel extends BaseTemplateModel {
     protected final VitroRequest vreq;
     protected final String subjectUri;
     protected final Property property;
+    protected FauxProperty fauxProperty;
+
 
     PropertyStatementTemplateModel(String subjectUri, Property property, VitroRequest vreq) {
         this.vreq = vreq;
         this.subjectUri = subjectUri;
         this.property = property;
+        if (property instanceof FauxPropertyWrapper) {
+            fauxProperty = ((FauxPropertyWrapper) property).getFauxProperty();
+        }
     }
 
     /* Template properties */
@@ -26,5 +32,9 @@ public abstract class PropertyStatementTemplateModel extends BaseTemplateModel {
     public boolean isEditable() {
         return ! getEditUrl().isEmpty();
     }
+    
+    protected boolean isFaux() {
+        return fauxProperty != null;
+    }
 
 }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyTemplateModel.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyTemplateModel.java
index 2b1aac8b63..b19191076a 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyTemplateModel.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyTemplateModel.java
@@ -10,7 +10,6 @@
 
 import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
 import edu.cornell.mannlib.vitro.webapp.beans.FauxProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 import edu.cornell.mannlib.vitro.webapp.beans.Property;
@@ -41,12 +40,14 @@ public abstract class PropertyTemplateModel extends BaseTemplateModel {
     private String name;
     private int displayLimit;
 
+    protected FauxProperty fauxProperty;
+
     PropertyTemplateModel(Property property, Individual subject, VitroRequest vreq, String name) {
         this.vreq = vreq;
         subjectUri = subject.getURI();
         this.property = property;
         if (isFauxProperty(property)) {
-            FauxProperty fauxProperty = getFauxProperty(property);
+            fauxProperty = getFauxProperty(property);
             this.name = fauxProperty.getDisplayName();
             this.displayLimit = fauxProperty.getDisplayLimit();
             propertyUri = fauxProperty.getBaseURI();
@@ -59,7 +60,7 @@ public abstract class PropertyTemplateModel extends BaseTemplateModel {
         setVerboseDisplayValues(property);
     }
 
-    private FauxProperty getFauxProperty(Property property) {
+    protected FauxProperty getFauxProperty(Property property) {
         return ((FauxPropertyWrapper) property).getFauxProperty();
     }
 
@@ -89,18 +90,6 @@ protected void setVerboseDisplayValues(Property property) {
 
         verboseDisplay = new HashMap<String, Object>();
 
-        RoleLevel roleLevel = property.getHiddenFromDisplayBelowRoleLevel();
-        String roleLevelLabel = roleLevel != null ? roleLevel.getDisplayLabel() : "";
-        verboseDisplay.put("displayLevel", roleLevelLabel);
-
-        roleLevel = property.getProhibitedFromUpdateBelowRoleLevel();
-        roleLevelLabel = roleLevel != null ? roleLevel.getUpdateLabel() : "";
-        verboseDisplay.put("updateLevel", roleLevelLabel);
-
-        roleLevel = property.getHiddenFromPublishBelowRoleLevel();
-        roleLevelLabel = roleLevel != null ? roleLevel.getDisplayLabel() : "";
-        verboseDisplay.put("publishLevel", roleLevelLabel);
-
         verboseDisplay.put("localName", property.getLocalNameWithPrefix());
         verboseDisplay.put("displayRank", getPropertyDisplayTier(property));
 
@@ -112,7 +101,7 @@ protected void setVerboseDisplayValues(Property property) {
         }
     }
 
-    private boolean isFauxProperty(Property prop) {
+    protected boolean isFauxProperty(Property prop) {
         if (prop instanceof FauxPropertyWrapper) {
             return true;
         }
@@ -176,4 +165,9 @@ public String getAddUrl() {
     public Map<String, Object> getVerboseDisplay() {
         return verboseDisplay;
     }
+    
+    protected boolean isFaux() {
+        return fauxProperty != null;
+    }
+    
 }
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/UncollatedObjectPropertyTemplateModel.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/UncollatedObjectPropertyTemplateModel.java
index 06bdb8fa5e..2fa5f89951 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/UncollatedObjectPropertyTemplateModel.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/UncollatedObjectPropertyTemplateModel.java
@@ -32,7 +32,12 @@ public class UncollatedObjectPropertyTemplateModel extends ObjectPropertyTemplat
             log.debug("Getting data for populated object property " + op.getURI());
 
             /* Get the data */
-            List<Map<String, String>> statementData = getStatementData();
+            List<Map<String, String>> statementData;
+            if (op instanceof FauxPropertyWrapper) {
+            	statementData = getUnfilteredStatementData();
+            } else {
+            	statementData = getStatementData();	
+            }
 
             /* Apply postprocessing */
             postprocess(statementData);
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueKeyTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueKeyTest.java
new file mode 100644
index 0000000000..e9d2f078de
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueKeyTest.java
@@ -0,0 +1,31 @@
+package edu.cornell.mannlib.vitro.webapp.auth.attributes;
+
+import static org.junit.Assert.assertEquals;
+
+import java.util.Map;
+
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyTest;
+import org.apache.commons.collections4.map.HashedMap;
+import org.junit.Test;
+
+public class AttributeValueKeyTest {
+
+    @Test
+    public void equalityTest() {
+        AttributeValueKey key1 = new AttributeValueKey();
+        key1.setObjectType(AccessObjectType.FAUX_DATA_PROPERTY);
+        key1.setOperation(AccessOperation.DISPLAY);
+        key1.setType(AccessObjectType.FAUX_DATA_PROPERTY.toString());
+        key1.setRole(PolicyTest.ADMIN);
+        AttributeValueKey key2 = new AttributeValueKey();
+        key2.setObjectType(AccessObjectType.FAUX_DATA_PROPERTY);
+        key2.setOperation(AccessOperation.DISPLAY);
+        key2.setType("FAUX_DATA_PROPERTY");
+        key2.setRole(PolicyTest.ADMIN);
+        assertEquals(key1, key2);
+        Map<AttributeValueKey, String> map = new HashedMap<>();
+        map.put(key1, "1");
+        map.put(key2, "2");
+        assertEquals(1, map.size());
+    }
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasPermissionFactoryTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasPermissionFactoryTest.java
deleted file mode 100644
index 6d8e320161..0000000000
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/HasPermissionFactoryTest.java
+++ /dev/null
@@ -1,277 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.identifier.factory;
-
-import static org.junit.Assert.assertEquals;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-import org.junit.Before;
-import org.junit.Test;
-
-import stubs.edu.cornell.mannlib.vitro.webapp.dao.UserAccountsDaoStub;
-import stubs.edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactoryStub;
-import stubs.edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccessFactoryStub;
-import stubs.javax.servlet.ServletContextStub;
-import stubs.javax.servlet.http.HttpServletRequestStub;
-import stubs.javax.servlet.http.HttpSessionStub;
-import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
-import edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource;
-import edu.cornell.mannlib.vitro.testing.AbstractTestClass;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.ArrayIdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasPermission;
-import edu.cornell.mannlib.vitro.webapp.auth.permissions.Permission;
-import edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionRegistry;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.beans.PermissionSet;
-import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
-
-/**
- * Can we tell whether a user is logged in as root?
- */
-public class HasPermissionFactoryTest extends AbstractTestClass {
-	private static final String USER_URI = "http://userUri";
-	private UserAccount user;
-
-	private LoginStatusBean lsb;
-
-	private PermissionSet emptyPublicPermissionSet;
-	private PermissionSet publicPermissionSet1;
-	private PermissionSet publicPermissionSet2;
-	private PermissionSet emptyLoggedInPermissionSet;
-	private PermissionSet loggedInPermissionSet1;
-	private PermissionSet loggedInPermissionSet2;
-
-	private Permission permissionP1a;
-	private Permission permissionP1b;
-	private Permission permissionP2;
-	private Permission permissionLI1;
-	private Permission permissionLI2a;
-	private Permission permissionLI2b;
-
-	private WebappDaoFactoryStub wdf;
-	private UserAccountsDaoStub uaDao;
-
-	private ServletContextStub ctx;
-	private HttpSessionStub session;
-	private HttpServletRequestStub req;
-
-	private HasPermissionFactory factory;
-
-	private IdentifierBundle actualIds;
-	private IdentifierBundle expectedIds;
-
-	@Before
-	public void setup() {
-		user = new UserAccount();
-		user.setUri(USER_URI);
-
-		lsb = new LoginStatusBean(USER_URI, AuthenticationSource.INTERNAL);
-
-		uaDao = new UserAccountsDaoStub();
-		uaDao.addUser(user);
-
-		wdf = new WebappDaoFactoryStub();
-		wdf.setUserAccountsDao(uaDao);
-
-		ctx = new ServletContextStub();
-		new ModelAccessFactoryStub().get(ctx).setWebappDaoFactory(wdf);
-
-		session = new HttpSessionStub();
-		session.setServletContext(ctx);
-
-		req = new HttpServletRequestStub();
-		req.setSession(session);
-
-		factory = new HasPermissionFactory(ctx);
-
-		preparePermissions();
-		preparePermissionSets();
-	}
-
-	private void preparePermissions() {
-		permissionP1a = new MyPermission("permissionP1a");
-		permissionP1b = new MyPermission("permissionP1b");
-		permissionP2 = new MyPermission("permissionP2");
-		permissionLI1 = new MyPermission("permissionLI1");
-		permissionLI2a = new MyPermission("permissionLI2a");
-		permissionLI2b = new MyPermission("permissionLI2b");
-		PermissionRegistry.createRegistry(
-				ctx,
-				list(permissionP1a, permissionP1b, permissionP2, permissionLI1,
-						permissionLI2a, permissionLI2b));
-	}
-
-	private void preparePermissionSets() {
-		emptyPublicPermissionSet = new PermissionSet();
-		emptyPublicPermissionSet.setUri("java:emptyPS");
-		emptyPublicPermissionSet.setLabel("emptyPublicPermissionSet");
-		emptyPublicPermissionSet.setForPublic(true);
-
-		publicPermissionSet1 = new PermissionSet();
-		publicPermissionSet1.setUri("java:publicPS1");
-		publicPermissionSet1.setLabel("publicPermissionSet1");
-		publicPermissionSet1.setForPublic(true);
-		setPermissions(publicPermissionSet1, permissionP1a, permissionP1b);
-
-		publicPermissionSet2 = new PermissionSet();
-		publicPermissionSet2.setUri("java:publicPS2");
-		publicPermissionSet2.setLabel("publicPermissionSet2");
-		publicPermissionSet2.setForPublic(true);
-		setPermissions(publicPermissionSet2, permissionP2);
-
-		emptyLoggedInPermissionSet = new PermissionSet();
-		emptyLoggedInPermissionSet.setUri("java:emptyPS");
-		emptyLoggedInPermissionSet.setLabel("emptyLoggedInPermissionSet");
-
-		loggedInPermissionSet1 = new PermissionSet();
-		loggedInPermissionSet1.setUri("java:loggedInPS1");
-		loggedInPermissionSet1.setLabel("loggedInPermissionSet1");
-		setPermissions(loggedInPermissionSet1, permissionLI1);
-
-		loggedInPermissionSet2 = new PermissionSet();
-		loggedInPermissionSet2.setUri("java:loggedInPS2");
-		loggedInPermissionSet2.setLabel("loggedInPermissionSet2");
-		setPermissions(loggedInPermissionSet2, permissionLI2a, permissionLI2b);
-
-		uaDao.addPermissionSet(emptyLoggedInPermissionSet);
-		uaDao.addPermissionSet(loggedInPermissionSet1);
-		uaDao.addPermissionSet(loggedInPermissionSet2);
-		// "public" permission sets are added for specific tests.
-	}
-
-	// ----------------------------------------------------------------------
-	// the tests
-	// ----------------------------------------------------------------------
-
-	@Test
-	public void notLoggedInNoPublicSets() {
-		expectedIds = new ArrayIdentifierBundle();
-		actualIds = factory.getIdentifierBundle(req);
-		assertEquals("no public sets", expectedIds, actualIds);
-	}
-
-	@Test
-	public void notLoggedInEmptyPublicSet() {
-		uaDao.addPermissionSet(emptyPublicPermissionSet);
-
-		expectedIds = new ArrayIdentifierBundle();
-		actualIds = factory.getIdentifierBundle(req);
-		assertEquals("empty public set", expectedIds, actualIds);
-	}
-
-	@Test
-	public void notLoggedInOnePublicSet() {
-		uaDao.addPermissionSet(publicPermissionSet1);
-
-		expectedIds = new ArrayIdentifierBundle(id(permissionP1a),
-				id(permissionP1b));
-		actualIds = factory.getIdentifierBundle(req);
-		assertEqualIds("one public set", expectedIds, actualIds);
-	}
-
-	@Test
-	public void notLoggedInTwoPublicSets() {
-		uaDao.addPermissionSet(publicPermissionSet1);
-		uaDao.addPermissionSet(publicPermissionSet2);
-
-		expectedIds = new ArrayIdentifierBundle(id(permissionP1a),
-				id(permissionP1b), id(permissionP2));
-		actualIds = factory.getIdentifierBundle(req);
-		assertEqualIds("two public sets", expectedIds, actualIds);
-	}
-
-	@Test
-	public void loggedInNoSets() {
-		LoginStatusBean.setBean(session, lsb);
-
-		expectedIds = new ArrayIdentifierBundle();
-		actualIds = factory.getIdentifierBundle(req);
-		assertEquals("no logged in sets", expectedIds, actualIds);
-	}
-
-	@Test
-	public void loggedInEmptySet() {
-		LoginStatusBean.setBean(session, lsb);
-		user.setPermissionSetUris(list(emptyLoggedInPermissionSet.getUri()));
-
-		expectedIds = new ArrayIdentifierBundle();
-		actualIds = factory.getIdentifierBundle(req);
-		assertEquals("empty logged in set", expectedIds, actualIds);
-	}
-
-	@Test
-	public void loggedInOneSet() {
-		LoginStatusBean.setBean(session, lsb);
-		user.setPermissionSetUris(list(loggedInPermissionSet1.getUri()));
-
-		expectedIds = new ArrayIdentifierBundle(id(permissionLI1));
-		actualIds = factory.getIdentifierBundle(req);
-		assertEqualIds("one logged in set", expectedIds, actualIds);
-	}
-
-	@Test
-	public void loggedInTwoSets() {
-		LoginStatusBean.setBean(session, lsb);
-		user.setPermissionSetUris(list(loggedInPermissionSet1.getUri(),
-				loggedInPermissionSet2.getUri()));
-
-		expectedIds = new ArrayIdentifierBundle(id(permissionLI1),
-				id(permissionLI2a), id(permissionLI2b));
-		actualIds = factory.getIdentifierBundle(req);
-		assertEqualIds("two logged in sets", expectedIds, actualIds);
-	}
-
-	// ----------------------------------------------------------------------
-	// helper methods
-	// ----------------------------------------------------------------------
-
-	private void setPermissions(PermissionSet ps, Permission... permissions) {
-		List<String> uris = new ArrayList<String>();
-		for (Permission p : permissions) {
-			uris.add(p.getUri());
-		}
-		ps.setPermissionUris(uris);
-	}
-
-	private HasPermission id(Permission p) {
-		return new HasPermission(p);
-	}
-
-	private <T> List<T> list(T... elements) {
-		List<T> l = new ArrayList<T>();
-		Collections.addAll(l, elements);
-		return l;
-	}
-
-	private void assertEqualIds(String message, IdentifierBundle expected,
-			IdentifierBundle actual) {
-		Set<HasPermission> expectedSet = new HashSet<HasPermission>();
-		for (Identifier id : expected) {
-			expectedSet.add((HasPermission) id);
-		}
-		Set<HasPermission> actualSet = new HashSet<HasPermission>();
-		for (Identifier id : actual) {
-			actualSet.add((HasPermission) id);
-		}
-		assertEqualSets(message, expectedSet, actualSet);
-	}
-
-	private static class MyPermission extends Permission {
-		public MyPermission(String uri) {
-			super(uri);
-		}
-
-		@Override
-		public boolean isAuthorized(RequestedAction whatToAuth) {
-			return false;
-		}
-
-	}
-}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/IsRootUserFactoryTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/IsRootUserFactoryTest.java
index 3c0d0814d3..9858ed1ec0 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/IsRootUserFactoryTest.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/IsRootUserFactoryTest.java
@@ -65,7 +65,7 @@ public void setup() {
 		req = new HttpServletRequestStub();
 		req.setSession(session);
 
-		factory = new IsRootUserFactory(ctx);
+		factory = new IsRootUserFactory();
 	}
 
 	@Test
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/IsUserFactoryTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/IsUserFactoryTest.java
index 89c1cc64f7..57ad3b7041 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/IsUserFactoryTest.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/identifier/factory/IsUserFactoryTest.java
@@ -55,7 +55,7 @@ public void setup() {
 		req = new HttpServletRequestStub();
 		req.setSession(session);
 
-		factory = new IsUserFactory(ctx);
+		factory = new IsUserFactory();
 	}
 
 	@Test
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessAllowedClassesPolicyTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessAllowedClassesPolicyTemplateTest.java
new file mode 100644
index 0000000000..139c547671
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessAllowedClassesPolicyTemplateTest.java
@@ -0,0 +1,84 @@
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.CLASS;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.DISPLAY;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.PUBLISH;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.UPDATE;
+import static org.junit.Assert.assertFalse;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import java.util.Set;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+@RunWith(Parameterized.class)
+public class AccessAllowedClassesPolicyTemplateTest extends PolicyTest {
+
+    @org.junit.runners.Parameterized.Parameter(0)
+    public AccessOperation ao;
+
+    @org.junit.runners.Parameterized.Parameter(1)
+    public AccessObjectType type;
+
+    @org.junit.runners.Parameterized.Parameter(2)
+    public String roleUri;
+
+    @org.junit.runners.Parameterized.Parameter(3)
+    public int rulesCount;
+
+    @org.junit.runners.Parameterized.Parameter(4)
+    public Set<Integer> attrCount;
+
+    @Test
+    public void testPolicy() {
+        load(TEMPLATE_CLASS_PATH);
+        List<String> roles = new ArrayList<>();
+        roles.addAll(ROLE_LIST);
+        if (roleUri.equals(CUSTOM)) {
+            PolicyTemplateController.createRoleDataSets(CUSTOM);
+            roles.add(CUSTOM);
+        }
+        EntityPolicyController.grantAccess("test:entity", type, ao, roleUri);
+        DynamicPolicy policy = null;
+        String dataSet =
+                loader.getDataSetUriByKey(new String[] { }, new String[] { ao.toString(), type.toString(), roleUri });
+        policy = loader.loadPolicyFromTemplateDataSet(dataSet);
+        countRulesAndAttributes(policy, rulesCount, attrCount);
+        Set<String> values = loader.getDataSetValues(ao, type, roleUri);
+        assertFalse(values.isEmpty());
+    }
+
+    @Parameterized.Parameters
+    public static Collection<Object[]> requests() {
+        return Arrays.asList(new Object[][] {
+            { DISPLAY, CLASS, PUBLIC, 1, Collections.singleton(4) },
+            { DISPLAY, CLASS, SELF_EDITOR, 1, Collections.singleton(4) },
+            { DISPLAY, CLASS, EDITOR, 1, Collections.singleton(4) },
+            { DISPLAY, CLASS, CURATOR, 1, Collections.singleton(4) },
+            { DISPLAY, CLASS, ADMIN, 1, Collections.singleton(4) },
+            { DISPLAY, CLASS, CUSTOM, 1, Collections.singleton(4) },
+
+            { PUBLISH, CLASS, SELF_EDITOR, 1, Collections.singleton(4) },
+            { PUBLISH, CLASS, EDITOR, 1, Collections.singleton(4) },
+            { PUBLISH, CLASS, CURATOR, 1, Collections.singleton(4) },
+            { PUBLISH, CLASS, ADMIN, 1, Collections.singleton(4) },
+            { PUBLISH, CLASS, CUSTOM, 1, Collections.singleton(4) },
+
+            { UPDATE, CLASS, PUBLIC, 1, Collections.singleton(4) },
+            { UPDATE, CLASS, SELF_EDITOR, 1, Collections.singleton(4) },
+            { UPDATE, CLASS, EDITOR, 1, Collections.singleton(4) },
+            { UPDATE, CLASS, CURATOR, 1, Collections.singleton(4) },
+            { UPDATE, CLASS, ADMIN, 1, Collections.singleton(4) },
+            { UPDATE, CLASS, CUSTOM, 1, Collections.singleton(4) }, });
+
+    }
+
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessAllowedPropertiesPolicyTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessAllowedPropertiesPolicyTemplateTest.java
new file mode 100644
index 0000000000..5cd4826702
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessAllowedPropertiesPolicyTemplateTest.java
@@ -0,0 +1,191 @@
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.DATA_PROPERTY;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.FAUX_DATA_PROPERTY;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.FAUX_OBJECT_PROPERTY;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.OBJECT_PROPERTY;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.ADD;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.DISPLAY;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.DROP;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.EDIT;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.PUBLISH;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import java.util.Set;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+@RunWith(Parameterized.class)
+public class AccessAllowedPropertiesPolicyTemplateTest extends PolicyTest {
+
+    @org.junit.runners.Parameterized.Parameter(0)
+    public AccessOperation ao;
+
+    @org.junit.runners.Parameterized.Parameter(1)
+    public AccessObjectType type;
+
+    @org.junit.runners.Parameterized.Parameter(2)
+    public String roleUri;
+
+    @org.junit.runners.Parameterized.Parameter(3)
+    public int rulesCount;
+
+    @org.junit.runners.Parameterized.Parameter(4)
+    public Set<Integer> attrCount;
+
+    @Test
+    public void testPolicy() {
+        load(TEMPLATE_PROPERTIES_PATH);
+        List<String> roles = new ArrayList<>();
+        roles.addAll(ROLE_LIST);
+        if (roleUri.equals(CUSTOM)) {
+            PolicyTemplateController.createRoleDataSets(CUSTOM);
+            roles.add(CUSTOM);
+        }
+        EntityPolicyController.grantAccess("test:entity", type, ao, roleUri);
+        DynamicPolicy policy = null;
+        String dataSet =
+                loader.getDataSetUriByKey(new String[] { }, new String[] { ao.toString(), type.toString(), roleUri });
+        policy = loader.loadPolicyFromTemplateDataSet(dataSet);
+        countRulesAndAttributes(policy, rulesCount, attrCount);
+        assertTrue(EntityPolicyController.isGranted("test:entity", type, ao, roleUri));
+        Set<String> values = loader.getDataSetValues(ao, type, roleUri);
+        assertFalse(values.isEmpty());
+    }
+
+    @Parameterized.Parameters
+    public static Collection<Object[]> requests() {
+        return Arrays.asList(new Object[][] {
+
+                { DISPLAY, OBJECT_PROPERTY, ADMIN, 2, num(4) },
+                { DISPLAY, OBJECT_PROPERTY, CURATOR, 2, num(4) },
+                { DISPLAY, OBJECT_PROPERTY, EDITOR, 2, num(4) },
+                { DISPLAY, OBJECT_PROPERTY, PUBLIC, 2, num(4) },
+                { DISPLAY, OBJECT_PROPERTY, CUSTOM, 2, num(4) },
+
+                { DISPLAY, DATA_PROPERTY, ADMIN, 2, num(4) },
+                { DISPLAY, DATA_PROPERTY, CURATOR, 2, num(4) },
+                { DISPLAY, DATA_PROPERTY, EDITOR, 2, num(4) },
+                { DISPLAY, DATA_PROPERTY, PUBLIC, 2, num(4) },
+                { DISPLAY, DATA_PROPERTY, CUSTOM, 2, num(4) },
+
+                { DISPLAY, FAUX_OBJECT_PROPERTY, ADMIN, 2, num(4) },
+                { DISPLAY, FAUX_OBJECT_PROPERTY, CURATOR, 2, num(4) },
+                { DISPLAY, FAUX_OBJECT_PROPERTY, EDITOR, 2, num(4) },
+                { DISPLAY, FAUX_OBJECT_PROPERTY, PUBLIC, 2, num(4) },
+                { DISPLAY, FAUX_OBJECT_PROPERTY, CUSTOM, 2, num(4) },
+
+                { DISPLAY, FAUX_DATA_PROPERTY, ADMIN, 2, num(4) },
+                { DISPLAY, FAUX_DATA_PROPERTY, CURATOR, 2, num(4) },
+                { DISPLAY, FAUX_DATA_PROPERTY, EDITOR, 2, num(4) },
+                { DISPLAY, FAUX_DATA_PROPERTY, PUBLIC, 2, num(4) },
+                { DISPLAY, FAUX_DATA_PROPERTY, CUSTOM, 2, num(4) },
+
+                { PUBLISH, OBJECT_PROPERTY, ADMIN, 2, num(4) },
+                { PUBLISH, OBJECT_PROPERTY, CURATOR, 2, num(4) },
+                { PUBLISH, OBJECT_PROPERTY, EDITOR, 2, num(4) },
+                { PUBLISH, OBJECT_PROPERTY, CUSTOM, 2, num(4) },
+
+                { PUBLISH, DATA_PROPERTY, ADMIN, 2, num(4) },
+                { PUBLISH, DATA_PROPERTY, CURATOR, 2, num(4) },
+                { PUBLISH, DATA_PROPERTY, EDITOR, 2, num(4) },
+                { PUBLISH, DATA_PROPERTY, CUSTOM, 2, num(4) },
+
+                { PUBLISH, FAUX_OBJECT_PROPERTY, ADMIN, 2, num(4) },
+                { PUBLISH, FAUX_OBJECT_PROPERTY, CURATOR, 2, num(4) },
+                { PUBLISH, FAUX_OBJECT_PROPERTY, EDITOR, 2, num(4) },
+                { PUBLISH, FAUX_OBJECT_PROPERTY, CUSTOM, 2, num(4) },
+
+                { PUBLISH, FAUX_DATA_PROPERTY, ADMIN, 2, num(4) },
+                { PUBLISH, FAUX_DATA_PROPERTY, CURATOR, 2, num(4) },
+                { PUBLISH, FAUX_DATA_PROPERTY, EDITOR, 2, num(4) },
+                { PUBLISH, FAUX_DATA_PROPERTY, CUSTOM, 2, num(4) },
+
+                { EDIT, OBJECT_PROPERTY, ADMIN, 2, num(4) },
+                { EDIT, OBJECT_PROPERTY, CURATOR, 2, num(4) },
+                { EDIT, OBJECT_PROPERTY, EDITOR, 2, num(4) },
+                { EDIT, OBJECT_PROPERTY, PUBLIC, 2, num(4) },
+                { EDIT, OBJECT_PROPERTY, CUSTOM, 2, num(4) },
+
+                { ADD, OBJECT_PROPERTY, ADMIN, 2, num(4) },
+                { ADD, OBJECT_PROPERTY, CURATOR, 2, num(4) },
+                { ADD, OBJECT_PROPERTY, EDITOR, 2, num(4) },
+                { ADD, OBJECT_PROPERTY, PUBLIC, 2, num(4) },
+                { ADD, OBJECT_PROPERTY, CUSTOM, 2, num(4) },
+
+                { DROP, OBJECT_PROPERTY, ADMIN, 2, num(4) },
+                { DROP, OBJECT_PROPERTY, CURATOR, 2, num(4) },
+                { DROP, OBJECT_PROPERTY, EDITOR, 2, num(4) },
+                { DROP, OBJECT_PROPERTY, PUBLIC, 2, num(4) },
+                { DROP, OBJECT_PROPERTY, CUSTOM, 2, num(4) },
+
+                { EDIT, DATA_PROPERTY, ADMIN, 2, num(4) },
+                { EDIT, DATA_PROPERTY, CURATOR, 2, num(4) },
+                { EDIT, DATA_PROPERTY, EDITOR, 2, num(4) },
+                { EDIT, DATA_PROPERTY, PUBLIC, 2, num(4) },
+                { EDIT, DATA_PROPERTY, CUSTOM, 2, num(4) },
+
+                { ADD, DATA_PROPERTY, ADMIN, 2, num(4) },
+                { ADD, DATA_PROPERTY, CURATOR, 2, num(4) },
+                { ADD, DATA_PROPERTY, EDITOR, 2, num(4) },
+                { ADD, DATA_PROPERTY, PUBLIC, 2, num(4) },
+                { ADD, DATA_PROPERTY, CUSTOM, 2, num(4) },
+
+                { DROP, DATA_PROPERTY, ADMIN, 2, num(4) },
+                { DROP, DATA_PROPERTY, CURATOR, 2, num(4) },
+                { DROP, DATA_PROPERTY, EDITOR, 2, num(4) },
+                { DROP, DATA_PROPERTY, PUBLIC, 2, num(4) },
+                { DROP, DATA_PROPERTY, CUSTOM, 2, num(4) },
+
+                { EDIT, FAUX_OBJECT_PROPERTY, ADMIN, 2, num(4) },
+                { EDIT, FAUX_OBJECT_PROPERTY, CURATOR, 2, num(4) },
+                { EDIT, FAUX_OBJECT_PROPERTY, EDITOR, 2, num(4) },
+                { EDIT, FAUX_OBJECT_PROPERTY, PUBLIC, 2, num(4) },
+                { EDIT, FAUX_OBJECT_PROPERTY, CUSTOM, 2, num(4) },
+
+                { ADD, FAUX_OBJECT_PROPERTY, ADMIN, 2, num(4) },
+                { ADD, FAUX_OBJECT_PROPERTY, CURATOR, 2, num(4) },
+                { ADD, FAUX_OBJECT_PROPERTY, EDITOR, 2, num(4) },
+                { ADD, FAUX_OBJECT_PROPERTY, PUBLIC, 2, num(4) },
+                { ADD, FAUX_OBJECT_PROPERTY, CUSTOM, 2, num(4) },
+
+                { DROP, FAUX_OBJECT_PROPERTY, ADMIN, 2, num(4) },
+                { DROP, FAUX_OBJECT_PROPERTY, CURATOR, 2, num(4) },
+                { DROP, FAUX_OBJECT_PROPERTY, EDITOR, 2, num(4) },
+                { DROP, FAUX_OBJECT_PROPERTY, PUBLIC, 2, num(4) },
+                { DROP, FAUX_OBJECT_PROPERTY, CUSTOM, 2, num(4) },
+
+                { EDIT, FAUX_DATA_PROPERTY, ADMIN, 2, num(4) },
+                { EDIT, FAUX_DATA_PROPERTY, CURATOR, 2, num(4) },
+                { EDIT, FAUX_DATA_PROPERTY, EDITOR, 2, num(4) },
+                { EDIT, FAUX_DATA_PROPERTY, PUBLIC, 2, num(4) },
+                { EDIT, FAUX_DATA_PROPERTY, CUSTOM, 2, num(4) },
+
+                { ADD, FAUX_DATA_PROPERTY, ADMIN, 2, num(4) },
+                { ADD, FAUX_DATA_PROPERTY, CURATOR, 2, num(4) },
+                { ADD, FAUX_DATA_PROPERTY, EDITOR, 2, num(4) },
+                { ADD, FAUX_DATA_PROPERTY, PUBLIC, 2, num(4) },
+                { ADD, FAUX_DATA_PROPERTY, CUSTOM, 2, num(4) },
+
+                { DROP, FAUX_DATA_PROPERTY, ADMIN, 2, num(4) },
+                { DROP, FAUX_DATA_PROPERTY, CURATOR, 2, num(4) },
+                { DROP, FAUX_DATA_PROPERTY, EDITOR, 2, num(4) },
+                { DROP, FAUX_DATA_PROPERTY, PUBLIC, 2, num(4) },
+                { DROP, FAUX_DATA_PROPERTY, CUSTOM, 2, num(4) },});
+    }
+
+    private static Set<Integer> num(int i) {
+        return Collections.singleton(i);
+    }
+
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessRelatedAllowedPropertiesPolicyTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessRelatedAllowedPropertiesPolicyTemplateTest.java
new file mode 100644
index 0000000000..60e90c7199
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessRelatedAllowedPropertiesPolicyTemplateTest.java
@@ -0,0 +1,71 @@
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.DATA_PROPERTY;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.FAUX_DATA_PROPERTY;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.FAUX_OBJECT_PROPERTY;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.OBJECT_PROPERTY;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.DISPLAY;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.PUBLISH;
+import static org.junit.Assert.assertFalse;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Set;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+@RunWith(Parameterized.class)
+public class AccessRelatedAllowedPropertiesPolicyTemplateTest extends PolicyTest {
+
+    @org.junit.runners.Parameterized.Parameter(0)
+    public AccessOperation ao;
+
+    @org.junit.runners.Parameterized.Parameter(1)
+    public AccessObjectType type;
+
+    @org.junit.runners.Parameterized.Parameter(2)
+    public String roleUri;
+
+    @org.junit.runners.Parameterized.Parameter(3)
+    public int rulesCount;
+
+    @org.junit.runners.Parameterized.Parameter(4)
+    public Set<Integer> attrCount;
+
+    @Test
+    public void testPolicy() {
+        load(TEMPLATE_RELATED_PROPERTIES_PATH);
+        EntityPolicyController.grantAccess("test:entity", type, ao, roleUri);
+        DynamicPolicy policy = null;
+        String dataSet =
+                loader.getDataSetUriByKey(new String[] { }, new String[] { ao.toString(), type.toString(), roleUri });
+        policy = loader.loadPolicyFromTemplateDataSet(dataSet);
+        countRulesAndAttributes(policy, rulesCount, attrCount);
+        Set<String> values = loader.getDataSetValues(ao, type, roleUri);
+        assertFalse(values.isEmpty());
+    }
+
+    @Parameterized.Parameters
+    public static Collection<Object[]> requests() {
+        return Arrays.asList(new Object[][] {
+
+                { DISPLAY, OBJECT_PROPERTY, SELF_EDITOR, 2, num(4) },
+                { DISPLAY, DATA_PROPERTY, SELF_EDITOR, 2, num(4) },
+                { DISPLAY, FAUX_OBJECT_PROPERTY, SELF_EDITOR, 2, num(4) },
+                { DISPLAY, FAUX_DATA_PROPERTY, SELF_EDITOR, 2, num(4) },
+                { PUBLISH, OBJECT_PROPERTY, SELF_EDITOR, 2, num(4) },
+                { PUBLISH, DATA_PROPERTY, SELF_EDITOR, 2, num(4) },
+                { PUBLISH, FAUX_OBJECT_PROPERTY, SELF_EDITOR, 2, num(4) },
+                { PUBLISH, FAUX_DATA_PROPERTY, SELF_EDITOR, 2, num(4) }, });
+    }
+
+    private static Set<Integer> num(int i) {
+        return Collections.singleton(i);
+    }
+
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/BasicPolicyTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/BasicPolicyTest.java
new file mode 100644
index 0000000000..fca742cd2b
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/BasicPolicyTest.java
@@ -0,0 +1,113 @@
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.io.StringWriter;
+import java.util.Collections;
+import java.util.Set;
+
+import org.apache.jena.rdf.model.Model;
+import org.apache.jena.rdf.model.ModelFactory;
+import org.junit.Test;
+
+public class BasicPolicyTest extends PolicyTest {
+
+    public static final String BROKEN_POLICY_BROKEN_TEST = RESOURCES_RULES_PREFIX + "test_policy_broken1.n3";
+    public static final String BROKEN_POLICY_BROKEN_TYPE = RESOURCES_RULES_PREFIX + "test_policy_broken2.n3";
+    public static final String BROKEN_POLICY_BROKEN_TEST_ID = RESOURCES_RULES_PREFIX + "test_policy_broken3.n3";
+    public static final String BROKEN_POLICY_BROKEN_TYPE_ID = RESOURCES_RULES_PREFIX + "test_policy_broken4.n3";
+    public static final String BROKEN_POLICY_BROKEN_ATTRIBUTE_VALUES =
+            RESOURCES_RULES_PREFIX + "test_policy_broken5.n3";
+
+    @Test
+    public void testGetPolicyUris() {
+        load(VALID_POLICY);
+        assertTrue(!loader.getPolicyUris().isEmpty());
+    }
+
+    @Test
+    public void testValidPolicy() {
+        load(VALID_POLICY);
+        assertTrue(!loader.getPolicyUris().isEmpty());
+    }
+
+    @Test
+    public void testValidPolicyTemplate() {
+        load(VALID_POLICY_TEMPLATE);
+        String uri = "https://vivoweb.org/ontology/vitro-application/auth/individual/ValidTestSetPolicy";
+        Set<DynamicPolicy> policies = loader.loadPolicies(uri);
+        assertEquals(2, policies.size());
+        DynamicPolicy policy = policies.iterator().next();
+        countRulesAndAttributes(policy, 1, Collections.singleton(2));
+        policy = policies.iterator().next();
+        countRulesAndAttributes(policy, 1, Collections.singleton(2));
+    }
+
+    @Test
+    public void testBrokenTestId() {
+        load(BROKEN_POLICY_BROKEN_TEST_ID);
+        String uri = "https://vivoweb.org/ontology/vitro-application/auth/individual/BrokenPolicyBrokenTestTypeId";
+        Set<DynamicPolicy> policies = loader.loadPolicies(uri);
+        assertEquals(0, policies.size());
+    }
+
+    @Test
+    public void testBrokenTypeId() {
+        load(BROKEN_POLICY_BROKEN_TYPE_ID);
+        String uri = "https://vivoweb.org/ontology/vitro-application/auth/individual/BrokenPolicyTypeId";
+        Set<DynamicPolicy> policies = loader.loadPolicies(uri);
+        assertEquals(0, policies.size());
+    }
+
+    @Test
+    public void testBrokenTest() {
+        load(BROKEN_POLICY_BROKEN_TEST);
+        String uri = "https://vivoweb.org/ontology/vitro-application/auth/individual/BrokenPolicyBrokenTestType";
+        Set<DynamicPolicy> policies = loader.loadPolicies(uri);
+        assertEquals(0, policies.size());
+    }
+
+    @Test
+    public void testBrokenType() {
+        load(BROKEN_POLICY_BROKEN_TYPE);
+        String uri = "https://vivoweb.org/ontology/vitro-application/auth/individual/BrokenPolicyType";
+        Set<DynamicPolicy> policies = loader.loadPolicies(uri);
+        assertEquals(0, policies.size());
+    }
+
+    @Test
+    public void testBrokenAttributeValue() {
+        load(BROKEN_POLICY_BROKEN_ATTRIBUTE_VALUES);
+        String uri = "https://vivoweb.org/ontology/vitro-application/auth/individual/BrokenTestSetPolicy";
+        Set<DynamicPolicy> policies = loader.loadPolicies(uri);
+        assertEquals(0, policies.size());
+    }
+
+    @Test
+    public void testBrokenPolicyTemplate() {
+        load(BROKEN_POLICY_TEMPLATE);
+        String uri = "https://vivoweb.org/ontology/vitro-application/auth/individual/BrokenTestSetPolicy";
+        Set<DynamicPolicy> policies = loader.loadPolicies(uri);
+        assertEquals(0, policies.size());
+    }
+
+    @Test
+    public void testDuplicateTriplesInPolicies() {
+        Model m1 = ModelFactory.createDefaultModel();
+        Model m2 = ModelFactory.createDefaultModel();
+        for (String entityPolicyPath : entityPolicies) {
+            load(m2, entityPolicyPath);
+            Model intersection = m1.intersection(m2);
+            if (intersection.size() != 0) {
+                StringWriter sw = new StringWriter();
+                m1.write(sw, "TTL");
+                System.out.println(entityPolicyPath);
+                System.out.println(sw.toString());
+            }
+            assertEquals(0, intersection.size());
+            load(m1, entityPolicyPath);
+            m2.removeAll();
+        }
+    }
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/EditablePagesPolicyTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/EditablePagesPolicyTest.java
new file mode 100644
index 0000000000..d9f4fc9091
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/EditablePagesPolicyTest.java
@@ -0,0 +1,128 @@
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_PREDICATE;
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_URI;
+import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.AUTH_INDIVIDUAL_PREFIX;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest;
+import edu.cornell.mannlib.vitro.webapp.auth.rules.AccessRule;
+import org.junit.Test;
+
+public class EditablePagesPolicyTest extends PolicyTest {
+
+    public static final String RELATED_EDITABLE_PAGES_POLICY_PATH =
+            PolicyTest.USER_ACCOUNTS_HOME_FIRSTTIME + "policy_related_editable_pages.n3";
+    public static final String EDITABLE_PAGES_TEMPLATE_PATH =
+            PolicyTest.USER_ACCOUNTS_HOME_FIRSTTIME + "template_editable_pages.n3";
+
+    @Test
+    public void testLoadRelatedEditablePagesPolicy() {
+        load(RELATED_EDITABLE_PAGES_POLICY_PATH);
+        String policyUri = AUTH_INDIVIDUAL_PREFIX + "edit-related-individual-pages/Policy";
+        Set<DynamicPolicy> policies = loader.loadPolicies(policyUri);
+        assertEquals(1, policies.size());
+        DynamicPolicy policy = policies.iterator().next();
+        assertTrue(policy != null);
+        countRulesAndAttributes(policy, 1, new HashSet<>(Arrays.asList(6)));
+    }
+
+    @Test
+    public void testAdminEditablePagesPolicy() {
+        load(EDITABLE_PAGES_TEMPLATE_PATH);
+        String dataSetUri = AUTH_INDIVIDUAL_PREFIX + "edit-individual-pages/AdminRoleDataSet";
+        DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri);
+        assertTrue(policy != null);
+        assertEquals(1, policy.getRules().size());
+        final AccessRule rule = policy.getRules().iterator().next();
+        assertEquals(true, rule.isAllowMatched());
+        assertEquals(5, rule.getChecksCount());
+
+        AccessOperation operation = AccessOperation.EDIT;
+        ObjectPropertyStatementAccessObject object =
+                new ObjectPropertyStatementAccessObject(null, "test://uri", SOME_PREDICATE, SOME_URI);
+        SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, operation);
+        ar.setRoleUris(Arrays.asList(CURATOR));
+        assertEquals(DecisionResult.INCONCLUSIVE, policy.decide(ar).getDecisionResult());
+        ar.setRoleUris(Arrays.asList(ADMIN));
+        assertEquals(DecisionResult.AUTHORIZED, policy.decide(ar).getDecisionResult());
+    }
+
+    @Test
+    public void testCuratorEditablePagesPolicy() {
+        load(EDITABLE_PAGES_TEMPLATE_PATH);
+        String dataSetUri = AUTH_INDIVIDUAL_PREFIX + "edit-individual-pages/CuratorRoleDataSet";
+        DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri);
+        assertTrue(policy != null);
+        assertEquals(1, policy.getRules().size());
+        final AccessRule rule = policy.getRules().iterator().next();
+        assertEquals(true, rule.isAllowMatched());
+        assertEquals(5, rule.getChecksCount());
+
+        AccessOperation operation = AccessOperation.EDIT;
+        ObjectPropertyStatementAccessObject object =
+                new ObjectPropertyStatementAccessObject(null, "test://uri", SOME_PREDICATE, SOME_URI);
+        SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, operation);
+        ar.setRoleUris(Arrays.asList(ADMIN));
+        assertEquals(DecisionResult.INCONCLUSIVE, policy.decide(ar).getDecisionResult());
+        ar.setRoleUris(Arrays.asList(CURATOR));
+        assertEquals(DecisionResult.AUTHORIZED, policy.decide(ar).getDecisionResult());
+    }
+
+    @Test
+    public void testEditorEditablePagesPolicy() {
+        load(EDITABLE_PAGES_TEMPLATE_PATH);
+        String dataSetUri = AUTH_INDIVIDUAL_PREFIX + "edit-individual-pages/EditorRoleDataSet";
+        DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri);
+        assertTrue(policy != null);
+        assertEquals(1, policy.getRules().size());
+        final AccessRule rule = policy.getRules().iterator().next();
+        assertEquals(true, rule.isAllowMatched());
+        assertEquals(5, rule.getChecksCount());
+
+        AccessOperation operation = AccessOperation.EDIT;
+        ObjectPropertyStatementAccessObject object =
+                new ObjectPropertyStatementAccessObject(null, "test://uri", SOME_PREDICATE, SOME_URI);
+        SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, operation);
+        ar.setRoleUris(Arrays.asList(ADMIN));
+        assertEquals(DecisionResult.INCONCLUSIVE, policy.decide(ar).getDecisionResult());
+        ar.setRoleUris(Arrays.asList(EDITOR));
+        assertEquals(DecisionResult.AUTHORIZED, policy.decide(ar).getDecisionResult());
+    }
+
+    @Test
+    public void testCustomRole() {
+        load(EDITABLE_PAGES_TEMPLATE_PATH);
+
+        // Create custom data set
+        PolicyTemplateController.createRoleDataSets(CUSTOM);
+        // Get data set uri by key: role uri and named object
+        String dataSetUri = AUTH_INDIVIDUAL_PREFIX + "edit-individual-pages/CustomRoleDataSet";
+
+        assertTrue(dataSetUri != null);
+        DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri);
+        assertTrue(policy != null);
+        assertEquals(1, policy.getRules().size());
+        final AccessRule rule = policy.getRules().iterator().next();
+        assertEquals(true, rule.isAllowMatched());
+        assertEquals(5, rule.getChecksCount());
+
+        AccessOperation operation = AccessOperation.EDIT;
+        ObjectPropertyStatementAccessObject object =
+                new ObjectPropertyStatementAccessObject(null, "test://uri", SOME_PREDICATE, SOME_URI);
+        SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, operation);
+        ar.setRoleUris(Arrays.asList(PUBLIC));
+        assertEquals(DecisionResult.INCONCLUSIVE, policy.decide(ar).getDecisionResult());
+        ar.setRoleUris(Arrays.asList(CUSTOM));
+        assertEquals(DecisionResult.AUTHORIZED, policy.decide(ar).getDecisionResult());
+    }
+
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/EntityPolicyControllerTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/EntityPolicyControllerTest.java
new file mode 100644
index 0000000000..4725cb43be
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/EntityPolicyControllerTest.java
@@ -0,0 +1,38 @@
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.CLASS;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.DISPLAY;
+import static org.junit.Assert.assertEquals;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+import org.junit.Test;
+
+public class EntityPolicyControllerTest extends PolicyTest {
+
+    @Test
+    public void testGetGrantedRoles() {
+        load(USER_ACCOUNTS_HOME_FIRSTTIME + "template_access_allowed_class.n3");
+        List<String> allowedRoles = Arrays.asList(ADMIN, SELF_EDITOR);
+        EntityPolicyController.updateEntityDataSet("test:newClass", CLASS, DISPLAY, allowedRoles, ROLE_LIST);
+        List<String> roles = EntityPolicyController.getGrantedRoles("test:newClass", DISPLAY, CLASS, ROLE_LIST);
+        assertEquals(2, roles.size());
+        roles.contains(ADMIN);
+        roles.contains(EDITOR);
+    }
+
+    @Test
+    public void testPolicyDataSetModification() {
+        load(USER_ACCOUNTS_HOME_FIRSTTIME + "template_access_allowed_class.n3");
+        EntityPolicyController.grantAccess("test:newClass", CLASS, DISPLAY, ADMIN);
+        EntityPolicyController.grantAccess("test:newClass2", CLASS, DISPLAY, ADMIN);
+        List<String> roles = EntityPolicyController.getGrantedRoles("test:newClass", DISPLAY, CLASS, ROLE_LIST);
+        assertEquals(1, roles.size());
+        roles.contains(ADMIN);
+        EntityPolicyController.updateEntityDataSet("test:newClass", CLASS, DISPLAY, Collections.emptyList(), ROLE_LIST);
+        roles = EntityPolicyController.getGrantedRoles("test:newClass", DISPLAY, CLASS, ROLE_LIST);
+        assertEquals(0, roles.size());
+    }
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/HomeMenuItemsRestrictionPolicyTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/HomeMenuItemsRestrictionPolicyTest.java
new file mode 100644
index 0000000000..e785ac67d7
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/HomeMenuItemsRestrictionPolicyTest.java
@@ -0,0 +1,46 @@
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Set;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest;
+import edu.cornell.mannlib.vitro.webapp.auth.rules.AccessRule;
+import edu.cornell.mannlib.vitro.webapp.beans.Property;
+import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
+import org.junit.Test;
+
+public class HomeMenuItemsRestrictionPolicyTest extends PolicyTest {
+
+    public static final String MENU_ITEMS_POLICY_PATH =
+            PolicyTest.USER_ACCOUNTS_HOME_FIRSTTIME + "policy_menu_items_editing.n3";
+
+    @Test
+    public void testHomeMenuItemsRestrictionPolicy() {
+        load(MENU_ITEMS_POLICY_PATH);
+        String policyUri = VitroVocabulary.AUTH_INDIVIDUAL_PREFIX + "restrict-home-menu-items-editing/Policy";
+        Set<DynamicPolicy> policies = loader.loadPolicies(policyUri);
+        assertEquals(1, policies.size());
+        DynamicPolicy policy = policies.iterator().next();
+        assertEquals(9000, policy.getPriority());
+        assertTrue(policy.getRules().size() > 0);
+        final AccessRule rule = policy.getRules().iterator().next();
+        assertEquals(false, rule.isAllowMatched());
+        assertEquals(4, rule.getChecksCount());
+
+        AccessObject ao = new ObjectPropertyStatementAccessObject(null, null,
+                new Property("http://vitro.mannlib.cornell.edu/ontologies/display/1.1#HomeMenuItem"),
+                "http://vitro.mannlib.cornell.edu/ontologies/display/1.1#hasElement");
+        SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(ao, AccessOperation.DROP);
+        assertEquals(DecisionResult.UNAUTHORIZED, policy.decide(ar).getDecisionResult());
+        ar = new SimpleAuthorizationRequest(ao, AccessOperation.EDIT);
+        assertEquals(DecisionResult.UNAUTHORIZED, policy.decide(ar).getDecisionResult());
+        ar = new SimpleAuthorizationRequest(ao, AccessOperation.ADD);
+        assertEquals(DecisionResult.INCONCLUSIVE, policy.decide(ar).getDecisionResult());
+    }
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/NonModifiableStatementsPolicyTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/NonModifiableStatementsPolicyTest.java
new file mode 100644
index 0000000000..9c8cab2c5e
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/NonModifiableStatementsPolicyTest.java
@@ -0,0 +1,79 @@
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.DROP;
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_LITERAL;
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_URI;
+import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.INCONCLUSIVE;
+import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.UNAUTHORIZED;
+import static org.junit.Assert.assertEquals;
+
+import java.util.Set;
+
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest;
+import edu.cornell.mannlib.vitro.webapp.auth.rules.AccessRule;
+import edu.cornell.mannlib.vitro.webapp.beans.Property;
+import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
+import org.junit.Test;
+
+public class NonModifiableStatementsPolicyTest extends PolicyTest {
+
+    private static final String VALID = "http://vitro.mannlib.cornell.edu/ns/vitro/0.7#Valid";
+    private static final String MOD_TIME = "http://vitro.mannlib.cornell.edu/ns/vitro/0.7#modTime";
+    public static final String NOT_MODIFIABLE_STATEMENTS_POLICY_PATH = "template_not_modifiable_statements";
+
+    @Test
+    public void testNonModifiableStatementsPolicy() {
+        load(PolicyTest.USER_ACCOUNTS_HOME_FIRSTTIME + NOT_MODIFIABLE_STATEMENTS_POLICY_PATH + EXT);
+
+        String policyUri = VitroVocabulary.AUTH_INDIVIDUAL_PREFIX + "non-modifiable-statements/PolicyTemplate";
+        Set<DynamicPolicy> policies = loader.loadPolicies(policyUri);
+        assertEquals(1, policies.size());
+        DynamicPolicy policy = policies.iterator().next();
+        assertEquals(8000, policy.getPriority());
+        assertEquals(5, policy.getRules().size());
+        AccessRule rule = policy.getRules().iterator().next();
+        assertEquals(false, rule.isAllowMatched());
+        for (AccessRule irule : policy.getRules()) {
+            assertEquals(3, irule.getChecksCount());
+        }
+
+        AccessObject ao = new ObjectPropertyStatementAccessObject(null, VALID, null, null);
+        SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(ao, DROP);
+        assertEquals(UNAUTHORIZED, policy.decide(ar).getDecisionResult());
+        ao = new ObjectPropertyStatementAccessObject(null, MOD_TIME, null, null);
+        ar = new SimpleAuthorizationRequest(ao, DROP);
+        assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult());
+
+        ao = new ObjectPropertyStatementAccessObject(null, null, new Property(VALID), null);
+        ar = new SimpleAuthorizationRequest(ao, DROP);
+        assertEquals(UNAUTHORIZED, policy.decide(ar).getDecisionResult());
+        ao = new ObjectPropertyStatementAccessObject(null, null, new Property(MOD_TIME), null);
+        ar = new SimpleAuthorizationRequest(ao, DROP);
+        assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult());
+
+        ao = new ObjectPropertyStatementAccessObject(null, null, null, VALID);
+        ar = new SimpleAuthorizationRequest(ao, DROP);
+        assertEquals(UNAUTHORIZED, policy.decide(ar).getDecisionResult());
+        ao = new ObjectPropertyStatementAccessObject(null, null, null, MOD_TIME);
+        ar = new SimpleAuthorizationRequest(ao, DROP);
+        assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult());
+
+        // Data property statement
+        ao = new DataPropertyStatementAccessObject(null, VALID, SOME_URI, SOME_LITERAL);
+        ar = new SimpleAuthorizationRequest(ao, DROP);
+        assertEquals(UNAUTHORIZED, policy.decide(ar).getDecisionResult());
+        ao = new DataPropertyStatementAccessObject(null, MOD_TIME, SOME_URI, SOME_LITERAL);
+        ar = new SimpleAuthorizationRequest(ao, DROP);
+        assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult());
+
+        ao = new DataPropertyStatementAccessObject(null, SOME_URI, VALID, SOME_LITERAL);
+        ar = new SimpleAuthorizationRequest(ao, DROP);
+        assertEquals(UNAUTHORIZED, policy.decide(ar).getDecisionResult());
+        ao = new DataPropertyStatementAccessObject(null, SOME_URI, MOD_TIME, SOME_LITERAL);
+        ar = new SimpleAuthorizationRequest(ao, DROP);
+        assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult());
+    }
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper_AuthorizationRequestTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper_AuthorizationRequestTest.java
index dc80e325ac..1af4515f10 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper_AuthorizationRequestTest.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper_AuthorizationRequestTest.java
@@ -14,12 +14,14 @@
 import stubs.javax.servlet.ServletContextStub;
 import stubs.javax.servlet.http.HttpServletRequestStub;
 import stubs.javax.servlet.http.HttpSessionStub;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Policy;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
 
 /**
  * Test the ability of the Policy Helper to authorize a variety of simple or
@@ -28,12 +30,12 @@
 public class PolicyHelper_AuthorizationRequestTest {
 	private ServletContextStub ctx;
 	private HttpServletRequestStub req;
-	private AuthorizationRequest nullAr = null;
+	private AccessObject nullAr = null;
 
 	@Before
 	public void setup() {
 		ctx = new ServletContextStub();
-
+		PolicyStore.getInstance().clear();
 		HttpSessionStub session = new HttpSessionStub();
 		session.setServletContext(ctx);
 
@@ -45,99 +47,99 @@ public void setup() {
 	// Helper methods
 	// ----------------------------------------------------------------------
 
-	private void createPolicy(RequestedAction... authorizedActions) {
-		ServletPolicyList.addPolicy(ctx, new MySimplePolicy(authorizedActions));
-	}
-
-	@Test
-	public void authorizedForActionsNull() {
-		createPolicy();
-		assertTrue("null actions",
-				PolicyHelper.isAuthorizedForActions(req, nullAr));
-	}
-
-	@Test
-	public void authorizedForActionsEmpty() {
-		createPolicy();
-		assertTrue("empty actions", PolicyHelper.isAuthorizedForActions(req));
-	}
-
-	@Test
-	public void authorizedForActionsAndPass() {
-		createPolicy(new Action1(), new Action2());
-		assertTrue("and pass", PolicyHelper.isAuthorizedForActions(req,
-				new Action1(), new Action2()));
+	private void createPolicy(AccessObject... authorizedActions) {
+		PolicyStore.getInstance().add(new MySimplePolicy(authorizedActions));
 	}
 
-	@Test
-	public void authorizedForActionsAndFail() {
-		createPolicy(new Action2());
-		assertFalse("and fail", PolicyHelper.isAuthorizedForActions(req,
-				new Action1(), new Action2()));
-	}
-
-	@Test
-	public void authorizedForActionsAndOrPass() {
-		createPolicy(new Action3());
-		assertTrue(
-				"and-or pass",
-				PolicyHelper.isAuthorizedForActions(req,
-						new Action1().and(new Action2()).or(new Action3())));
-	}
-
-	@Test
-	public void authorizedForActionsAndOrFail() {
-		createPolicy(new Action1());
-		assertFalse(
-				"and-or fail",
-				PolicyHelper.isAuthorizedForActions(req,
-						new Action1().and(new Action2()).or(new Action3())));
-	}
-
-	@Test
-	public void authorizedByACombinationOfPolicies() {
-		ServletPolicyList.addPolicy(ctx, new MySimplePolicy(new Action1()));
-		ServletPolicyList.addPolicy(ctx, new MySimplePolicy(new Action2()));
-		assertTrue("combination of policies",
-				PolicyHelper.isAuthorizedForActions(req, new Action2(),
-						new Action1()));
-	}
+    /*
+     * @Test public void authorizedForActionsNull() { createPolicy();
+     * assertTrue("null actions", PolicyHelper.isAuthorizedForActions(req,
+     * nullAr)); }
+     */
+
+	
+    /*
+     * @Test public void authorizedForActionsAndPass() { createPolicy(new
+     * Action1(), new Action2()); assertTrue("and pass",
+     * PolicyHelper.isAuthorizedForActions(req, new Action1(), new Action2()));
+     * }
+     * 
+     * @Test public void authorizedForActionsAndFail() { createPolicy(new
+     * Action2()); assertFalse("and fail",
+     * PolicyHelper.isAuthorizedForActions(req, new Action1(), new Action2()));
+     * }
+     * 
+     * @Test public void authorizedForActionsAndOrPass() { createPolicy(new
+     * Action3()); assertTrue( "and-or pass",
+     * PolicyHelper.isAuthorizedForActions(req, new Action1().and(new
+     * Action2()).or(new Action3()))); }
+     */
+    /*
+     * @Test public void authorizedForActionsAndOrFail() { createPolicy(new
+     * Action1()); assertFalse( "and-or fail",
+     * PolicyHelper.isAuthorizedForActions(req, new Action1().and(new
+     * Action2()).or(new Action3()))); }
+     */
+
+    /*
+     * @Test public void authorizedByACombinationOfPolicies() {
+     * PolicyStore.addPolicy(new MySimplePolicy(new Action1()));
+     * PolicyStore.addPolicy(new MySimplePolicy(new Action2()));
+     * assertTrue("combination of policies",
+     * PolicyHelper.isAuthorizedForActions(req, new Action2(), new Action1()));
+     * }
+     */
 
 	// ----------------------------------------------------------------------
 	// Helper Classes
 	// ----------------------------------------------------------------------
 
-	public static class Action1 extends RequestedAction {
+	public static class Action1 extends AccessObject {
+
+        @Override
+        public AccessObjectType getType() {
+            return null;
+        }
 		// actions must be public, with public constructor
 	}
 
-	public static class Action2 extends RequestedAction {
+	public static class Action2 extends AccessObject {
+	    
+        @Override
+        public AccessObjectType getType() {
+            return null;
+        }
 		// actions must be public, with public constructor
 	}
 
-	public static class Action3 extends RequestedAction {
+	public static class Action3 extends AccessObject {
+	    
+        @Override
+        public AccessObjectType getType() {
+            return null;
+        }
 		// actions must be public, with public constructor
 	}
 
-	private static class MySimplePolicy implements PolicyIface {
-		private final Set<RequestedAction> authorizedActions;
+	private static class MySimplePolicy implements Policy {
+		private final Set<AccessObject> authorizedActions;
 
-		public MySimplePolicy(RequestedAction... authorizedActions) {
-			this.authorizedActions = new HashSet<RequestedAction>(
+		public MySimplePolicy(AccessObject... authorizedActions) {
+			this.authorizedActions = new HashSet<AccessObject>(
 					Arrays.asList(authorizedActions));
 		}
 
 		@Override
-		public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
-				RequestedAction whatToAuth) {
-			for (RequestedAction authorized : authorizedActions) {
+		public PolicyDecision decide(AuthorizationRequest ar) {
+            AccessObject whatToAuth = ar.getAccessObject();
+			for (AccessObject authorized : authorizedActions) {
 				if (authorized.getClass().equals(whatToAuth.getClass())) {
-					return new BasicPolicyDecision(Authorization.AUTHORIZED,
+					return new BasicPolicyDecision(DecisionResult.AUTHORIZED,
 							"matched " + authorized.getClass().getSimpleName());
 				}
 
 			}
-			return new BasicPolicyDecision(Authorization.INCONCLUSIVE, "nope");
+			return new BasicPolicyDecision(DecisionResult.INCONCLUSIVE, "nope");
 		}
 
 	}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper_ModelsTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper_ModelsTest.java
index 17621a2b8f..bc9855eae9 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper_ModelsTest.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper_ModelsTest.java
@@ -32,12 +32,13 @@
 import org.apache.jena.util.iterator.NiceIterator;
 
 import edu.cornell.mannlib.vitro.testing.AbstractTestClass;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractPropertyStatementAction;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Policy;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
 
 /**
  * Test the function of PolicyHelper in authorizing models of additions and
@@ -76,12 +77,14 @@ public void setup() {
 
 		session = new HttpSessionStub();
 		session.setServletContext(ctx);
+        PolicyStore.getInstance().clear();
+
 
 		req = new HttpServletRequestStub();
 		req.setSession(session);
 
-		setLoggerLevel(ServletPolicyList.class, Level.WARN);
-		ServletPolicyList.addPolicy(ctx, new MySimplePolicy());
+		setLoggerLevel(PolicyStore.class, Level.WARN);
+		PolicyStore.getInstance().add(new MySimplePolicy());
 
 //		setLoggerLevel(PolicyHelper.class, Level.DEBUG);
 	}
@@ -324,15 +327,15 @@ public Statement next() {
 	 * resource, or (2) The subject is related to the primary resource by a
 	 * "friend" property statement.
 	 */
-	private class MySimplePolicy implements PolicyIface {
+	private class MySimplePolicy implements Policy {
 		@Override
-		public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
-				RequestedAction whatToAuth) {
-			if (!(whatToAuth instanceof AbstractPropertyStatementAction)) {
+		public PolicyDecision decide(AuthorizationRequest ar) {
+	        AccessObject whatToAuth = ar.getAccessObject();
+			if (!(whatToAuth instanceof AccessObject)) {
 				return inconclusive();
 			}
 
-			AbstractPropertyStatementAction action = (AbstractPropertyStatementAction) whatToAuth;
+			AccessObject action = (AccessObject) whatToAuth;
 
 			String subjectUri = action.getResourceUris()[0];
 			if (PRIMARY_RESOURCE_URI.equals(subjectUri)) {
@@ -341,14 +344,14 @@ public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
 
 			Statement friendStmt = objectStatement(PRIMARY_RESOURCE_URI,
 					FRIEND_PREDICATE_URI, subjectUri);
-			if (statementExists(action.getOntModel(), friendStmt)) {
+			if (statementExists(action.getStatementOntModel(), friendStmt)) {
 				return authorized();
 			}
 
 			return inconclusive();
 		}
 
-		private boolean statementExists(OntModel oModel, Statement stmt) {
+		private boolean statementExists(Model oModel, Statement stmt) {
 			StmtIterator stmts = oModel.listStatements(stmt.getSubject(),
 					stmt.getPredicate(), stmt.getObject());
 			try {
@@ -359,11 +362,11 @@ private boolean statementExists(OntModel oModel, Statement stmt) {
 		}
 
 		private PolicyDecision authorized() {
-			return new BasicPolicyDecision(Authorization.AUTHORIZED, "");
+			return new BasicPolicyDecision(DecisionResult.AUTHORIZED, "");
 		}
 
 		private PolicyDecision inconclusive() {
-			return new BasicPolicyDecision(Authorization.INCONCLUSIVE, "");
+			return new BasicPolicyDecision(DecisionResult.INCONCLUSIVE, "");
 		}
 	}
 
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper_StatementsTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper_StatementsTest.java
index 3e12713f5b..5a4dc3cd1a 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper_StatementsTest.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper_StatementsTest.java
@@ -20,13 +20,15 @@
 import org.apache.jena.rdf.model.Statement;
 
 import edu.cornell.mannlib.vitro.testing.AbstractTestClass;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractDataPropertyStatementAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyStatementAction;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Policy;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
 
 /**
  * Test the function of PolicyHelper in authorizing statements and models.
@@ -51,11 +53,12 @@ public void setup() {
 
 		req = new HttpServletRequestStub();
 		req.setSession(session);
+        PolicyStore.getInstance().clear();
 
 		ontModel = ModelFactory.createOntologyModel(OntModelSpec.OWL_MEM);
 
-		setLoggerLevel(ServletPolicyList.class, Level.WARN);
-		ServletPolicyList.addPolicy(ctx, new MySimplePolicy());
+		setLoggerLevel(PolicyStore.class, Level.WARN);
+		PolicyStore.getInstance().add(new MySimplePolicy());
 	}
 
 	// ----------------------------------------------------------------------
@@ -194,24 +197,24 @@ private Statement objectStatement(String subjectUri, String predicateUri,
 	// Helper classes
 	// ----------------------------------------------------------------------
 
-	private static class MySimplePolicy implements PolicyIface {
+	private static class MySimplePolicy implements Policy {
 		@Override
-		public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
-				RequestedAction whatToAuth) {
-			if (whatToAuth instanceof AbstractDataPropertyStatementAction) {
-				return isAuthorized((AbstractDataPropertyStatementAction) whatToAuth);
-			} else if (whatToAuth instanceof AbstractObjectPropertyStatementAction) {
-				return isAuthorized((AbstractObjectPropertyStatementAction) whatToAuth);
+		public PolicyDecision decide(AuthorizationRequest ar) {
+	        AccessObject whatToAuth = ar.getAccessObject();
+			if (whatToAuth instanceof DataPropertyStatementAccessObject) {
+				return isAuthorized((DataPropertyStatementAccessObject) whatToAuth);
+			} else if (whatToAuth instanceof ObjectPropertyStatementAccessObject) {
+				return isAuthorized((ObjectPropertyStatementAccessObject) whatToAuth);
 			} else {
 				return inconclusive();
 			}
 		}
 
 		private PolicyDecision isAuthorized(
-				AbstractDataPropertyStatementAction whatToAuth) {
-			if ((APPROVED_SUBJECT_URI.equals(whatToAuth.getSubjectUri()))
+				DataPropertyStatementAccessObject whatToAuth) {
+			if ((APPROVED_SUBJECT_URI.equals(whatToAuth.getStatementSubject()))
 					&& (APPROVED_PREDICATE_URI.equals(whatToAuth
-							.getPredicateUri()))) {
+							.getStatementPredicateUri()))) {
 				return authorized();
 			} else {
 				return inconclusive();
@@ -219,11 +222,11 @@ private PolicyDecision isAuthorized(
 		}
 
 		private PolicyDecision isAuthorized(
-				AbstractObjectPropertyStatementAction whatToAuth) {
-			if ((APPROVED_SUBJECT_URI.equals(whatToAuth.getSubjectUri()))
+				ObjectPropertyStatementAccessObject whatToAuth) {
+			if ((APPROVED_SUBJECT_URI.equals(whatToAuth.getStatementSubject()))
 					&& (APPROVED_PREDICATE_URI.equals(whatToAuth
-							.getPredicateUri()))
-					&& (APPROVED_OBJECT_URI.equals(whatToAuth.getObjectUri()))) {
+							.getStatementPredicateUri()))
+					&& (APPROVED_OBJECT_URI.equals(whatToAuth.getStatementObject()))) {
 				return authorized();
 			} else {
 				return inconclusive();
@@ -231,11 +234,11 @@ private PolicyDecision isAuthorized(
 		}
 
 		private PolicyDecision authorized() {
-			return new BasicPolicyDecision(Authorization.AUTHORIZED, "");
+			return new BasicPolicyDecision(DecisionResult.AUTHORIZED, "");
 		}
 
 		private PolicyDecision inconclusive() {
-			return new BasicPolicyDecision(Authorization.INCONCLUSIVE, "");
+			return new BasicPolicyDecision(DecisionResult.INCONCLUSIVE, "");
 		}
 	}
 
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoaderTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoaderTest.java
new file mode 100644
index 0000000000..e3e677bf03
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoaderTest.java
@@ -0,0 +1,94 @@
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.NAMED_OBJECT;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.EXECUTE;
+import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.AUTH_INDIVIDUAL_PREFIX;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.util.List;
+import java.util.Map;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueKey;
+import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames;
+import org.apache.jena.rdf.model.Model;
+import org.apache.jena.rdf.model.ModelFactory;
+import org.junit.Test;
+
+public class PolicyLoaderTest extends PolicyTest {
+
+    private static final String PREFIX =
+            "https://vivoweb.org/ontology/vitro-application/auth/individual/template/test-data-set-templates/";
+    public static final String DATA_SET = RESOURCES_RULES_PREFIX + "data_set_templates.n3";
+
+    @Test
+    public void getRoleDataSetTemplatesTest() {
+        load(DATA_SET);
+        Map<String, String> templates = PolicyLoader.getInstance().getRoleDataSetTemplates();
+        assertEquals(2, templates.size());
+        assertTrue(templates.containsKey(PREFIX + "RoleDataSetTemplate1"));
+        assertEquals(PREFIX + "PolicyTemplate", templates.get(PREFIX + "RoleDataSetTemplate1"));
+        assertTrue(templates.containsKey(PREFIX + "RoleDataSetTemplate2"));
+        assertEquals(PREFIX + "PolicyTemplate", templates.get(PREFIX + "RoleDataSetTemplate2"));
+    }
+
+    @Test
+    public void getRoleDataSetKeyTemplateTest() {
+        load(DATA_SET);
+        List<String> keys = PolicyLoader.getInstance().getDataSetKeysFromTemplate(PREFIX + "RoleDataSetTemplate1");
+        assertEquals(2, keys.size());
+        assertTrue(keys.contains(AUTH_INDIVIDUAL_PREFIX + "NamedObject"));
+        assertTrue(keys.contains(AUTH_INDIVIDUAL_PREFIX + "ExecuteOperation"));
+    }
+
+    @Test
+    public void getRoleDataSetDraftKeyTemplateTest() {
+        load(DATA_SET);
+        List<String> keys =
+                PolicyLoader.getInstance().getDataSetKeyTemplatesFromTemplate(PREFIX + "RoleDataSetTemplate1");
+        assertEquals(1, keys.size());
+        assertTrue(keys.contains(AUTH_INDIVIDUAL_PREFIX + "SubjectRole"));
+    }
+
+    @Test
+    public void getDataSetUriByKeyTest() {
+        load(DATA_SET);
+        String uri = PolicyLoader.getInstance().getDataSetUriByKey(new String[] {  },
+                new String[] { NAMED_OBJECT.toString(), EXECUTE.toString(), PUBLIC });
+        assertEquals(PREFIX + "PublicDataSet", uri);
+    }
+
+    @Test
+    public void getRoleDataSetValuesTemplateTest() {
+        load(DATA_SET);
+        List<String> values = PolicyLoader.getInstance().getDataSetValuesFromTemplate(PREFIX + "RoleDataSetTemplate1");
+        assertEquals(1, values.size());
+        assertEquals(values.get(0), AUTH_INDIVIDUAL_PREFIX + "PublicRoleValueSet");
+    }
+
+    @Test
+    public void getDataSetKeyTest() {
+        load(DATA_SET);
+        AttributeValueKey expectedKey = new AttributeValueKey();
+        expectedKey.setOperation(EXECUTE);
+        expectedKey.setRole(PUBLIC);
+        expectedKey.setObjectType(NAMED_OBJECT);
+        AttributeValueKey compositeKey = PolicyLoader.getInstance().getDataSetKey(PREFIX + "PublicDataSet");
+        assertEquals(expectedKey, compositeKey);
+
+    }
+
+    @Test
+    public void getSubjectRoleValuePatternTest() {
+        List<String> patterns = loader.getSubjectRoleValuePattern(CUSTOM);
+        assertTrue(patterns.isEmpty());
+
+        Model tmpModel = ModelFactory.createDefaultModel();
+        PolicyTemplateController.createSubjectRoleUri(CUSTOM, tmpModel);
+        accessControlModel.add(tmpModel);
+        configurationDataSet.replaceNamedModel(ModelNames.ACCESS_CONTROL, accessControlModel);
+        patterns = loader.getSubjectRoleValuePattern(CUSTOM);
+        assertTrue(!patterns.isEmpty());
+        assertEquals(1, patterns.size());
+    }
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyStoreTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyStoreTest.java
new file mode 100644
index 0000000000..8c8b406afc
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyStoreTest.java
@@ -0,0 +1,66 @@
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import static org.junit.Assert.assertEquals;
+
+import org.junit.Test;
+
+public class PolicyStoreTest {
+
+    @Test
+    public void testPriorityOrder() {
+        PolicyStore store = PolicyStore.getInstance();
+        store.clear();
+        store.add(new DynamicPolicy("lowest", 0));
+        assertEquals(0, store.getList().get(0).getPriority());
+        store.add(new DynamicPolicy("lower", 1));
+        assertEquals(1, store.getList().get(0).getPriority());
+        store.add(new DynamicPolicy("more important", 4));
+        assertEquals(4, store.getList().get(0).getPriority());
+        store.add(new DynamicPolicy("imporant", 3));
+        assertEquals(4, store.getList().get(0).getPriority());
+        store.add(new DynamicPolicy("normal", 2));
+        assertEquals(4, store.getList().get(0).getPriority());
+        store.add(new DynamicPolicy("most imporant", 5));
+        assertEquals(5, store.getList().get(0).getPriority());
+        store.clear();
+    }
+
+    @Test
+    public void testPriorityDuplicates() {
+        PolicyStore store = PolicyStore.getInstance();
+        store.clear();
+        store.add(new DynamicPolicy("not important", 0));
+        assertEquals(0, store.getList().get(0).getPriority());
+        assertEquals(1, store.size());
+        store.add(new DynamicPolicy("important", 1));
+        assertEquals(2, store.size());
+        assertEquals(1, store.getList().get(0).getPriority());
+        store.add(new DynamicPolicy("not imporant too", 0));
+        assertEquals(3, store.size());
+        assertEquals(1, store.getList().get(0).getPriority());
+        store.add(new DynamicPolicy("equally imporant", 1));
+        assertEquals(4, store.size());
+        store.clear();
+    }
+
+    @Test
+    public void testUriDuplicates() {
+        PolicyStore store = PolicyStore.getInstance();
+        store.clear();
+        store.add(new DynamicPolicy("unique", 0));
+        assertEquals(1, store.size());
+        store.add(new DynamicPolicy("not unique", 0));
+        assertEquals(2, store.size());
+        // replace current policy with the same priority
+        store.add(new DynamicPolicy("not unique", 0));
+        assertEquals(2, store.size());
+        assertEquals(0, store.getList().get(0).getPriority());
+        // replace current policy with different priority
+        store.add(new DynamicPolicy("not unique", 1));
+        assertEquals(2, store.size());
+        assertEquals(1, store.getList().get(0).getPriority());
+        store.add(new DynamicPolicy("unique too", 0));
+        assertEquals(3, store.size());
+        store.clear();
+    }
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyTest.java
new file mode 100644
index 0000000000..e43d9472e8
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyTest.java
@@ -0,0 +1,159 @@
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSetRegistry;
+import edu.cornell.mannlib.vitro.webapp.auth.checks.Check;
+import edu.cornell.mannlib.vitro.webapp.auth.rules.AccessRule;
+import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames;
+import edu.cornell.mannlib.vitro.webapp.rdfservice.impl.jena.model.RDFServiceModel;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.jena.query.Dataset;
+import org.apache.jena.query.DatasetFactory;
+import org.apache.jena.rdf.model.Model;
+import org.apache.jena.rdf.model.ModelFactory;
+import org.apache.jena.shared.Lock;
+import org.apache.log4j.Level;
+import org.apache.log4j.LogManager;
+import org.apache.log4j.Logger;
+import org.junit.After;
+import org.junit.Before;
+
+public class PolicyTest {
+    public static final String USER_ACCOUNTS_HOME_FIRSTTIME = "../home/src/main/resources/rdf/accessControl/firsttime/";
+
+    public static final String ADMIN = "http://vitro.mannlib.cornell.edu/ns/vitro/authorization#ADMIN";
+    public static final String EDITOR = "http://vitro.mannlib.cornell.edu/ns/vitro/authorization#EDITOR";
+    public static final String SELF_EDITOR = "http://vitro.mannlib.cornell.edu/ns/vitro/authorization#SELF_EDITOR";
+    public static final String CURATOR = "http://vitro.mannlib.cornell.edu/ns/vitro/authorization#CURATOR";
+    public static final String PUBLIC = "http://vitro.mannlib.cornell.edu/ns/vitro/authorization#PUBLIC";
+    protected static final String CUSTOM = "http://vitro.mannlib.cornell.edu/ns/vitro/authorization#CUSTOM";
+
+    public static final String ONTOLOGY_PATH = USER_ACCOUNTS_HOME_FIRSTTIME + "ontology.n3";
+    public static final String OPERATIONS_PATH = USER_ACCOUNTS_HOME_FIRSTTIME + "operations.n3";
+    public static final String SUBJECT_TYPES = USER_ACCOUNTS_HOME_FIRSTTIME + "subject_types.n3";
+    public static final String OBJECT_TYPES = USER_ACCOUNTS_HOME_FIRSTTIME + "object_types.n3";
+    public static final String ATTRIBUTES_PATH = USER_ACCOUNTS_HOME_FIRSTTIME + "attributes.n3";
+    public static final String OPERATORS_PATH = USER_ACCOUNTS_HOME_FIRSTTIME + "operators.n3";
+    public static final String PROFILE_PROXIMITY_QUERY = USER_ACCOUNTS_HOME_FIRSTTIME + "profile_proximity_query.n3";
+    public static final String TEST_DECISIONS = USER_ACCOUNTS_HOME_FIRSTTIME + "decisions.n3";
+    public static final String ROLES = USER_ACCOUNTS_HOME_FIRSTTIME + "roles.n3";
+    protected static final String RESOURCES_PREFIX = "src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/";
+    protected static final String RESOURCES_RULES_PREFIX = RESOURCES_PREFIX + "rules/";
+
+    public static final String VALID_POLICY = RESOURCES_RULES_PREFIX + "test_policy_valid.n3";
+    public static final String VALID_POLICY_TEMPLATE = RESOURCES_RULES_PREFIX + "test_policy_valid_set.n3";
+    public static final String BROKEN_POLICY_TEMPLATE = RESOURCES_RULES_PREFIX + "test_policy_broken_set.n3";
+    // TODO:Implement public static final String POLICY_KEY_TEST = RESOURCES_RULES_PREFIX + "test_policy_key.n3";
+
+    public static final String TEMPLATE_CLASS_PATH = USER_ACCOUNTS_HOME_FIRSTTIME + "template_access_allowed_class.n3";
+
+    public static final String TEMPLATE_PROPERTIES_PATH =
+            USER_ACCOUNTS_HOME_FIRSTTIME + "template_access_allowed_property.n3";
+
+    public static final String TEMPLATE_RELATED_PROPERTIES_PATH =
+            USER_ACCOUNTS_HOME_FIRSTTIME + "template_access_related_allowed_property.n3";
+
+    public static final String TEMPLATE_RELATED_UPDATE_PATH =
+            USER_ACCOUNTS_HOME_FIRSTTIME + "template_update_related_allowed_property.n3";
+
+    protected static final List<String> ROLE_LIST = Arrays.asList(ADMIN, CURATOR, EDITOR, SELF_EDITOR, PUBLIC);
+    public static final String PREFIX = "https://vivoweb.org/ontology/vitro-application/auth/individual/";
+    public static final String DATASET = "_dataset";
+    public static final String EXT = ".n3";
+
+    private static final Log log = LogFactory.getLog(PolicyTest.class);
+
+    protected static final List<String> entityPolicies = Arrays.asList(TEMPLATE_CLASS_PATH, TEMPLATE_PROPERTIES_PATH,
+            TEMPLATE_RELATED_PROPERTIES_PATH, TEMPLATE_RELATED_UPDATE_PATH);
+
+    protected Model accessControlModel;
+    protected PolicyLoader loader;
+    protected Dataset configurationDataSet;
+
+    @Before
+    public void init() {
+        accessControlModel = ModelFactory.createDefaultModel();
+        configurationDataSet = DatasetFactory.createTxnMem();
+        configurationDataSet.addNamedModel(ModelNames.ACCESS_CONTROL, accessControlModel);
+        load(OPERATIONS_PATH);
+        load(ROLES);
+        load(SUBJECT_TYPES);
+        load(OBJECT_TYPES);
+        load(ATTRIBUTES_PATH);
+        load(OPERATORS_PATH);
+        load(PROFILE_PROXIMITY_QUERY);
+        load(TEST_DECISIONS);
+        RDFServiceModel rdfService = new RDFServiceModel(configurationDataSet);
+        AttributeValueSetRegistry.getInstance().clear();
+        PolicyLoader.initialize(rdfService);
+        loader = PolicyLoader.getInstance();
+        Logger logger = LogManager.getLogger(PolicyLoader.class);
+        logger.setLevel(Level.ERROR);
+    }
+
+    @After
+    public void finish() {
+        AttributeValueSetRegistry.getInstance().clear();
+    }
+
+    protected void countRulesAndAttributes(DynamicPolicy policy, int ruleCount, Set<Integer> checksCount) {
+        assertTrue(policy != null);
+        Set<AccessRule> rules = policy.getRules();
+        Map<String, AccessRule> ruleMap = rules.stream().collect(Collectors.toMap(r -> r.getRuleUri(), r -> r));
+        if (ruleCount != ruleMap.size()) {
+            log.error(String.format("Rules count %s doesn't match for policy %s", ruleMap.size(), policy.getUri()));
+            for (AccessRule ar : ruleMap.values()) {
+                log.error(String.format("Rule uri %s", ar.getRuleUri()));
+            }
+        }
+        assertEquals(ruleCount, ruleMap.size());
+        for (AccessRule ar : ruleMap.values()) {
+            if (!checksCount.contains(ar.getChecks().size())) {
+                log.error(String.format("Checks count %s doesn't match for policy %s", ar.getChecks().size(),
+                        policy.getUri()));
+                for (String checkUri : ar.getCheckUris()) {
+                    log.error(String.format("Checks uri %s", checkUri));
+                }
+            }
+            assertTrue(checksCount.contains(ar.getChecks().size()));
+            for (Check att : ar.getChecks()) {
+                assertTrue(!att.getValues().isEmpty());
+            }
+        }
+    }
+
+    protected void loadAllEntityPolicies() {
+        for (String policyPath : entityPolicies) {
+            load(policyPath);
+        }
+    }
+
+    protected void load(String filePath) {
+        try {
+            accessControlModel.enterCriticalSection(Lock.WRITE);
+            accessControlModel.read(filePath);
+        } finally {
+            accessControlModel.leaveCriticalSection();
+        }
+        configurationDataSet.replaceNamedModel(ModelNames.ACCESS_CONTROL, accessControlModel);
+
+    }
+
+    protected void load(Model m, String filePath) {
+        try {
+            m.enterCriticalSection(Lock.WRITE);
+            m.read(filePath);
+        } finally {
+            m.leaveCriticalSection();
+        }
+    }
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ProximityTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ProximityTest.java
new file mode 100644
index 0000000000..4f002f945e
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/ProximityTest.java
@@ -0,0 +1,54 @@
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Arrays;
+import java.util.Set;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest;
+import edu.cornell.mannlib.vitro.webapp.auth.rules.AccessRule;
+import org.apache.jena.rdf.model.Model;
+import org.apache.jena.rdf.model.ModelFactory;
+import org.apache.jena.shared.Lock;
+import org.junit.Test;
+
+public class ProximityTest extends PolicyTest {
+
+    private static final String PROXIMITY_POLICY_PATH = RESOURCES_RULES_PREFIX + "proximity_test_policy.n3";
+    private static final String PROXIMITY_DATA_PATH = RESOURCES_RULES_PREFIX + "proximity_test_data.n3";
+
+    @Test
+    public void testProximityPolicy() {
+        load(PROXIMITY_POLICY_PATH);
+        String policyUri = "https://vivoweb.org/ontology/vitro-application/auth/individual/ProximityTestPolicy";
+        Set<DynamicPolicy> policies = loader.loadPolicies(policyUri);
+        assertEquals(1, policies.size());
+        DynamicPolicy policy = policies.iterator().next();
+        assertTrue(policy != null);
+        assertTrue(policy.getRules().size() == 1);
+        AccessRule rule = policy.getRules().iterator().next();
+        assertEquals(true, rule.isAllowMatched());
+        assertEquals(1, rule.getChecksCount());
+
+        Model targetModel = ModelFactory.createDefaultModel();
+        try {
+            targetModel.enterCriticalSection(Lock.WRITE);
+            targetModel.read(PROXIMITY_DATA_PATH);
+        } finally {
+            targetModel.leaveCriticalSection();
+        }
+        AccessObject ao = new ObjectPropertyStatementAccessObject(targetModel, "test:publication", null, null);
+        SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(ao, AccessOperation.EDIT);
+        ar.setEditorUris(Arrays.asList("test:bob"));
+        assertEquals(DecisionResult.INCONCLUSIVE, policy.decide(ar).getDecisionResult());
+        ar = new SimpleAuthorizationRequest(ao, AccessOperation.EDIT);
+        ar.setEditorUris(Arrays.asList("test:alice"));
+        assertEquals(DecisionResult.AUTHORIZED, policy.decide(ar).getDecisionResult());
+        ar = new SimpleAuthorizationRequest(ao, AccessOperation.EDIT);
+    }
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/RootUserPolicyTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/RootUserPolicyTest.java
new file mode 100644
index 0000000000..e687f6f256
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/RootUserPolicyTest.java
@@ -0,0 +1,26 @@
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Collections;
+import java.util.Set;
+
+import org.junit.Test;
+
+public class RootUserPolicyTest extends PolicyTest {
+
+    public static final String ROOT_POLICY_PATH = PolicyTest.USER_ACCOUNTS_HOME_FIRSTTIME + "policy_root_user.n3";
+
+    @Test
+    public void testLoadRootUserPolicy() {
+        load(ROOT_POLICY_PATH);
+        String policyUri = "https://vivoweb.org/ontology/vitro-application/auth/individual/root-user/Policy";
+        Set<DynamicPolicy> policies = loader.loadPolicies(policyUri);
+        assertEquals(1, policies.size());
+        DynamicPolicy policy = policies.iterator().next();
+        assertTrue(policy != null);
+        assertEquals(10000, policy.getPriority());
+        countRulesAndAttributes(policy, 1, Collections.singleton(1));
+    }
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SelfEditingPolicyTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SelfEditingPolicyTest.java
deleted file mode 100644
index 17ef2333a4..0000000000
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SelfEditingPolicyTest.java
+++ /dev/null
@@ -1,393 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy;
-
-import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization.AUTHORIZED;
-import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization.INCONCLUSIVE;
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_LITERAL;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertNull;
-
-import org.junit.Before;
-import org.junit.Test;
-
-import stubs.edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionBeanStub;
-import stubs.javax.servlet.ServletContextStub;
-
-import org.apache.jena.ontology.OntModel;
-import org.apache.jena.ontology.OntModelSpec;
-import org.apache.jena.rdf.model.ModelFactory;
-
-import edu.cornell.mannlib.vitro.testing.AbstractTestClass;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.ArrayIdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasProfile;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.AddNewUser;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.LoadOntology;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.RebuildTextIndex;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.RemoveUser;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.ServerStatus;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.UpdateTextIndex;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.CreateOwlClass;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.DefineDataProperty;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.DefineObjectProperty;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.RemoveOwlClass;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddDataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditDataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.beans.IndividualImpl;
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
-
-public class SelfEditingPolicyTest extends AbstractTestClass {
-
-	private static final String SAFE_NS = "http://test.mannlib.cornell.edu/ns/01#";
-	private static final String UNSAFE_NS = VitroVocabulary.vitroURI;
-
-	private static final String SELFEDITOR_URI = SAFE_NS + "individual244";
-	private static final String SAFE_RESOURCE = SAFE_NS
-			+ "otherIndividual77777";
-	private static final String UNSAFE_RESOURCE = UNSAFE_NS
-			+ "otherIndividual99999";
-
-	private static final Property SAFE_PREDICATE = new Property(SAFE_NS + "hasHairStyle");
-	private static final Property UNSAFE_PREDICATE = new Property(UNSAFE_NS + "hasSuperPowers");
-
-	private ServletContextStub ctx;
-
-	private SelfEditingPolicy policy;
-	private IdentifierBundle ids;
-	private RequestedAction whatToAuth;
-	private OntModel ontModel;
-
-	@Before
-	public void setUp() {
-		ctx = new ServletContextStub();
-
-		PropertyRestrictionBeanStub
-				.getInstance(new String[] { UNSAFE_NS });
-
-		policy = new SelfEditingPolicy(ctx);
-
-		IndividualImpl ind = new IndividualImpl();
-		ind.setURI(SELFEDITOR_URI);
-
-		ids = new ArrayIdentifierBundle(new HasProfile(SELFEDITOR_URI));
-
-		ontModel = ModelFactory.createOntologyModel(OntModelSpec.OWL_MEM);
-	}
-
-	@Test
-	public void testProhibitedProperties() {
-		PropertyRestrictionBeanStub
-				.getInstance(new String[] { UNSAFE_NS }, new String[] {
-						"http://mannlib.cornell.edu/bad#prp234",
-						"http://mannlib.cornell.edu/bad#prp999",
-						"http://mannlib.cornell.edu/bad#prp333",
-						"http://mannlib.cornell.edu/bad#prp777",
-						"http://mannlib.cornell.edu/bad#prp0020" });
-
-		whatToAuth = new AddObjectPropertyStatement(ontModel, SELFEDITOR_URI,
-				new Property("http://mannlib.cornell.edu/bad#prp234"), SAFE_RESOURCE);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new AddObjectPropertyStatement(ontModel, SAFE_RESOURCE,
-				new Property("http://mannlib.cornell.edu/bad#prp234"), SELFEDITOR_URI);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new AddObjectPropertyStatement(ontModel, SELFEDITOR_URI,
-				new Property("http://mannlib.cornell.edu/bad#prp999"), SAFE_RESOURCE);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new AddObjectPropertyStatement(ontModel, SAFE_RESOURCE,
-				new Property("http://mannlib.cornell.edu/bad#prp999"), SELFEDITOR_URI);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new AddObjectPropertyStatement(ontModel, SAFE_RESOURCE,
-				SAFE_PREDICATE, SELFEDITOR_URI);
-		assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new AddObjectPropertyStatement(ontModel, SELFEDITOR_URI,
-				SAFE_PREDICATE, SAFE_RESOURCE);
-		assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new AddObjectPropertyStatement(ontModel, SELFEDITOR_URI,
-				UNSAFE_PREDICATE, SAFE_RESOURCE);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-
-		// now with dataprop statements
-		whatToAuth = new AddDataPropertyStatement(ontModel, SELFEDITOR_URI,
-				"http://mannlib.cornell.edu/bad#prp234", SOME_LITERAL);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new AddDataPropertyStatement(ontModel, SELFEDITOR_URI,
-				"http://mannlib.cornell.edu/bad#prp999", SOME_LITERAL);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new AddDataPropertyStatement(ontModel, SELFEDITOR_URI,
-				SAFE_PREDICATE.getURI(), SOME_LITERAL);
-		assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new AddDataPropertyStatement(ontModel, SELFEDITOR_URI,
-				UNSAFE_PREDICATE.getURI(), SOME_LITERAL);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-	}
-
-	@Test
-	public void testVisitIdentifierBundleAddObjectPropStmt() {
-		whatToAuth = new AddObjectPropertyStatement(ontModel, SELFEDITOR_URI,
-				SAFE_PREDICATE, SAFE_RESOURCE);
-		assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new AddObjectPropertyStatement(ontModel, SAFE_RESOURCE,
-				SAFE_PREDICATE, SELFEDITOR_URI);
-		assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
-
-		// this is the case where the editor is not part of the stmt
-		whatToAuth = new AddObjectPropertyStatement(ontModel, SAFE_RESOURCE,
-				SAFE_PREDICATE, SAFE_RESOURCE);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new AddObjectPropertyStatement(ontModel, SELFEDITOR_URI,
-				UNSAFE_PREDICATE, SAFE_RESOURCE);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new AddObjectPropertyStatement(ontModel, SELFEDITOR_URI,
-				SAFE_PREDICATE, UNSAFE_RESOURCE);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-	}
-
-	//
-	// @Test
-	// public void testVisitIdentifierBundleDropResource() {
-	// fail("Not yet implemented");
-	// }
-	//
-	// @Test
-	// public void testVisitIdentifierBundleDropDataPropStmt() {
-	// fail("Not yet implemented");
-	// }
-	//
-	@Test
-	public void testVisitIdentifierBundleDropObjectPropStmt() {
-		whatToAuth = new DropObjectPropertyStatement(ontModel, SELFEDITOR_URI,
-				SAFE_PREDICATE, SAFE_RESOURCE);
-		assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new DropObjectPropertyStatement(ontModel, SAFE_RESOURCE,
-				SAFE_PREDICATE, SELFEDITOR_URI);
-		assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
-
-		// this is the case where the editor is not part of the stmt
-		whatToAuth = new DropObjectPropertyStatement(ontModel, SAFE_RESOURCE,
-				SAFE_PREDICATE, SAFE_RESOURCE);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new DropObjectPropertyStatement(ontModel, SELFEDITOR_URI,
-				UNSAFE_PREDICATE, SAFE_RESOURCE);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new DropObjectPropertyStatement(ontModel, SELFEDITOR_URI,
-				SAFE_PREDICATE, UNSAFE_RESOURCE);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-	}
-
-	//
-	// @Test
-	// public void testVisitIdentifierBundleAddResource() {
-	// fail("Not yet implemented");
-	// }
-	//
-	// @Test
-	// public void testVisitIdentifierBundleAddDataPropStmt() {
-	// fail("Not yet implemented");
-	// }
-	//
-	// @Test
-	// public void testVisitIdentifierBundleUploadFile() {
-	// fail("Not yet implemented");
-	// }
-	//
-	//
-	@Test
-	public void testVisitIdentifierBundleEditDataPropStmt() {
-		whatToAuth = new EditDataPropertyStatement(ontModel, SELFEDITOR_URI,SAFE_PREDICATE.getURI(), SOME_LITERAL);
-		assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new EditDataPropertyStatement(ontModel, SELFEDITOR_URI, UNSAFE_PREDICATE.getURI(), SOME_LITERAL);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new EditDataPropertyStatement(ontModel, UNSAFE_RESOURCE, SAFE_PREDICATE.getURI(), SOME_LITERAL);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new EditDataPropertyStatement(ontModel, SAFE_RESOURCE, SAFE_PREDICATE.getURI(), SOME_LITERAL);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-	}
-
-	@Test
-	public void testVisitIdentifierBundleEditObjPropStmt() {
-		whatToAuth = new EditObjectPropertyStatement(ontModel, SELFEDITOR_URI,
-				SAFE_PREDICATE, SAFE_RESOURCE);
-		assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new EditObjectPropertyStatement(ontModel, SAFE_RESOURCE,
-				SAFE_PREDICATE, SELFEDITOR_URI);
-		assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
-
-		// this is the case where the editor is not part of the stmt
-		whatToAuth = new EditObjectPropertyStatement(ontModel, SAFE_RESOURCE,
-				SAFE_PREDICATE, SAFE_RESOURCE);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new EditObjectPropertyStatement(ontModel, SELFEDITOR_URI,
-				UNSAFE_PREDICATE, SAFE_RESOURCE);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-
-		whatToAuth = new EditObjectPropertyStatement(ontModel, SELFEDITOR_URI,
-				SAFE_PREDICATE, UNSAFE_RESOURCE);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-	}
-
-	// ----------------------------------------------------------------------
-	// What if there are two SelfEditor Identifiers?
-	// ----------------------------------------------------------------------
-
-	@Test
-	public void twoSEIsFindObjectPropertySubject() {
-		setUpTwoSEIs();
-		whatToAuth = new DropObjectPropertyStatement(ontModel, SELFEDITOR_URI,
-				SAFE_PREDICATE, SAFE_RESOURCE);
-		assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
-	}
-
-	@Test
-	public void twoSEIsFindObjectPropertyObject() {
-		setUpTwoSEIs();
-		whatToAuth = new DropObjectPropertyStatement(ontModel, SAFE_RESOURCE,
-				SAFE_PREDICATE, SELFEDITOR_URI);
-		assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
-	}
-
-	@Test
-	public void twoSEIsDontFindInObjectProperty() {
-		setUpTwoSEIs();
-		whatToAuth = new DropObjectPropertyStatement(ontModel, SAFE_RESOURCE,
-				SAFE_PREDICATE, SAFE_RESOURCE);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-	}
-
-	@Test
-	public void twoSEIsFindDataPropertySubject() {
-		setUpTwoSEIs();
-
-		whatToAuth = new EditDataPropertyStatement(ontModel, SELFEDITOR_URI, SAFE_PREDICATE.getURI(), SOME_LITERAL);
-		assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
-	}
-
-	@Test
-	public void twoSEIsDontFindInDataProperty() {
-		setUpTwoSEIs();
-
-		whatToAuth = new EditDataPropertyStatement(ontModel, SAFE_RESOURCE, SAFE_PREDICATE.getURI(), SOME_LITERAL);
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
-	}
-
-	private void setUpTwoSEIs() {
-		ids = new ArrayIdentifierBundle();
-
-		IndividualImpl ind1 = new IndividualImpl();
-		ind1.setURI(SAFE_NS + "bozoUri");
-		ids.add(new HasProfile(ind1.getURI()));
-
-		IndividualImpl ind2 = new IndividualImpl();
-		ind2.setURI(SELFEDITOR_URI);
-		ids.add(new HasProfile(ind2.getURI()));
-	}
-
-	// ----------------------------------------------------------------------
-	// Ignore administrative requests.
-	// ----------------------------------------------------------------------
-
-	@Test
-	public void testServerStatus() {
-		assertDecision(INCONCLUSIVE,
-				policy.isAuthorized(ids, new ServerStatus()));
-	}
-
-	@Test
-	public void testCreateOwlClass() {
-		CreateOwlClass a = new CreateOwlClass();
-		a.setSubjectUri("http://someClass/test");
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, a));
-	}
-
-	@Test
-	public void testRemoveOwlClass() {
-		RemoveOwlClass a = new RemoveOwlClass();
-		a.setSubjectUri("http://someClass/test");
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, a));
-	}
-
-	@Test
-	public void testDefineDataProperty() {
-		DefineDataProperty a = new DefineDataProperty();
-		a.setSubjectUri("http://someClass/test");
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, a));
-	}
-
-	@Test
-	public void testDefineObjectProperty() {
-		DefineObjectProperty a = new DefineObjectProperty();
-		a.setSubjectUri("http://someClass/test");
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, a));
-	}
-
-	@Test
-	public void testAddNewUser() {
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, new AddNewUser()));
-	}
-
-	@Test
-	public void testRemoveUser() {
-		assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, new RemoveUser()));
-	}
-
-	@Test
-	public void testLoadOntology() {
-		assertDecision(INCONCLUSIVE,
-				policy.isAuthorized(ids, new LoadOntology()));
-	}
-
-	@Test
-	public void testRebuildTextIndex() {
-		assertDecision(INCONCLUSIVE,
-				policy.isAuthorized(ids, new RebuildTextIndex()));
-	}
-
-	@Test
-	public void testVisitIdentifierBundleUpdateTextIndex() {
-		assertDecision(INCONCLUSIVE,
-				policy.isAuthorized(ids, new UpdateTextIndex()));
-	}
-
-	// ----------------------------------------------------------------------
-	// Helper methods
-	// ----------------------------------------------------------------------
-
-	private void assertDecision(Authorization expectedAuth,
-			PolicyDecision decision) {
-		if (expectedAuth == null) {
-			assertNull("expecting null decision", decision);
-		} else {
-			assertNotNull("expecting a decision", decision);
-			assertEquals("wrong authorization", expectedAuth,
-					decision.getAuthorized());
-		}
-	}
-}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SelfEditingPolicy_2_Test.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SelfEditingPolicy_2_Test.java
deleted file mode 100644
index ce77498684..0000000000
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SelfEditingPolicy_2_Test.java
+++ /dev/null
@@ -1,297 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy;
-
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_LITERAL;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.Test;
-
-import stubs.edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionBeanStub;
-import stubs.javax.servlet.ServletContextStub;
-
-import org.apache.jena.ontology.OntModel;
-import org.apache.jena.ontology.OntModelSpec;
-import org.apache.jena.rdf.model.ModelFactory;
-
-import edu.cornell.mannlib.vitro.testing.AbstractTestClass;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.ArrayIdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasProfile;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditDataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditObjectPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.beans.Individual;
-import edu.cornell.mannlib.vitro.webapp.beans.IndividualImpl;
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
-
-public class SelfEditingPolicy_2_Test extends AbstractTestClass {
-	private static final Log log = LogFactory
-			.getLog(SelfEditingPolicy_2_Test.class);
-
-	/** We may edit objects in this arbitrary namespace. */
-	private static final String SAFE_NS = "http://test.mannlib.cornell.edu/ns/01#";
-
-	/** We are not allowed to edit objects in the administrative namespace. */
-	private static final String ADMIN_NS = VitroVocabulary.vitroURI;
-
-	/** The URI of a SelfEditor. */
-	private static final String SELFEDITOR_URI = SAFE_NS + "individual000";
-
-	/** Some things that are safe to edit. */
-	private static final String SAFE_RESOURCE = SAFE_NS + "individual123";
-	private static final String SAFE_PREDICATE = SAFE_NS + "hasHairStyle";
-
-	/** Some things that are not safe to edit. */
-	private static final String ADMIN_RESOURCE = ADMIN_NS + "individual666";
-	private static final String ADMIN_PREDICATE_1 = ADMIN_NS + "hasSuperPowers";
-	private static final String ADMIN_PREDICATE_2 = ADMIN_NS + "mayPrintMoney";
-	private static final String ADMIN_PREDICATE_3 = ADMIN_NS
-			+ "getsOutOfJailFree";
-	private static final String ADMIN_PREDICATE_4 = ADMIN_NS + "canDeleteModel";
-
-	/** The policy we are testing. */
-	SelfEditingPolicy policy;
-
-	/** A SelfEditing individual identifier. */
-	Individual seIndividual;
-
-	/** A bundle that contains a SelfEditing individual. */
-	IdentifierBundle ids;
-
-	/**
-	 * An empty model that acts as a placeholder in the requested actions. The
-	 * SelfEditingPolicy does not base its decisions on the contents of the
-	 * model.
-	 */
-	private OntModel ontModel;
-
-
-	@Before
-	public void setUp() {
-		ServletContextStub ctx = new ServletContextStub();
-		PropertyRestrictionBeanStub.getInstance(new String[] { ADMIN_NS });
-
-		policy = new SelfEditingPolicy(ctx);
-		Assert.assertNotNull(policy);
-
-		seIndividual = new IndividualImpl();
-		seIndividual.setURI(SELFEDITOR_URI);
-
-		ids = new ArrayIdentifierBundle(new HasProfile(SELFEDITOR_URI));
-
-		ontModel = ModelFactory.createOntologyModel(OntModelSpec.OWL_MEM);
-
-		// setLoggerLevel(SelfEditingPolicySetupTest.class, Level.DEBUG);
-	}
-
-	// ----------------------------------------------------------------------
-	// General tests
-	// ----------------------------------------------------------------------
-
-	@Test
-	public void nullRequestedAction() {
-		PolicyDecision dec = policy.isAuthorized(ids, null);
-		Assert.assertNotNull(dec);
-		Assert.assertEquals(Authorization.INCONCLUSIVE, dec.getAuthorized());
-	}
-
-	@Test
-	public void nullIdentifierBundle() {
-		AddObjectPropertyStatement whatToAuth = new AddObjectPropertyStatement(
-				ontModel, SELFEDITOR_URI, new Property(SAFE_PREDICATE), SAFE_RESOURCE);
-		PolicyDecision dec = policy.isAuthorized(null, whatToAuth);
-		Assert.assertNotNull(dec);
-		Assert.assertEquals(Authorization.INCONCLUSIVE, dec.getAuthorized());
-	}
-
-	@Test
-	public void noSelfEditorIdentifier() {
-		ids.clear();
-		ids.add(new Identifier() { /* empty identifier */
-		});
-		assertAddObjectPropStmt(SELFEDITOR_URI, SAFE_PREDICATE, SAFE_RESOURCE,
-				Authorization.INCONCLUSIVE);
-	}
-
-	// ----------------------------------------------------------------------
-	// Tests against AddObjectPropStmt
-	// ----------------------------------------------------------------------
-
-	@Test
-	public void addObjectPropStmtSuccess1() {
-		assertAddObjectPropStmt(SELFEDITOR_URI, SAFE_PREDICATE, SAFE_RESOURCE,
-				Authorization.AUTHORIZED);
-	}
-
-	@Test
-	public void addObjectPropStmtSuccess2() {
-		assertAddObjectPropStmt(SAFE_RESOURCE, SAFE_PREDICATE, SELFEDITOR_URI,
-				Authorization.AUTHORIZED);
-	}
-
-	@Test
-	public void addObjectPropStmtUnsafePredicate1() {
-		assertAddObjectPropStmt(SELFEDITOR_URI, ADMIN_PREDICATE_1,
-				SAFE_RESOURCE, Authorization.INCONCLUSIVE);
-	}
-
-	@Test
-	public void addObjectPropStmtUnsafePredicate2() {
-		assertAddObjectPropStmt(SAFE_RESOURCE, ADMIN_PREDICATE_1,
-				SELFEDITOR_URI, Authorization.INCONCLUSIVE);
-	}
-
-	@Test
-	public void addObjectPropStmtUnsafePredicate3() {
-		assertAddObjectPropStmt(SELFEDITOR_URI, ADMIN_PREDICATE_2,
-				SAFE_RESOURCE, Authorization.INCONCLUSIVE);
-	}
-
-	@Test
-	public void addObjectPropStmtUnsafePredicate4() {
-		assertAddObjectPropStmt(SELFEDITOR_URI, ADMIN_PREDICATE_3,
-				SAFE_RESOURCE, Authorization.INCONCLUSIVE);
-	}
-
-	@Test
-	public void addObjectPropStmtUnsafePredicate5() {
-		assertAddObjectPropStmt(SELFEDITOR_URI, ADMIN_PREDICATE_4,
-				SAFE_RESOURCE, Authorization.INCONCLUSIVE);
-	}
-
-	// ----------------------------------------------------------------------
-	// Tests against EditObjPropStmt
-	// ----------------------------------------------------------------------
-
-	@Test
-	public void editObjectPropStmtSuccess1() {
-		assertEditObjPropStmt(SELFEDITOR_URI, SAFE_PREDICATE, SAFE_RESOURCE,
-				Authorization.AUTHORIZED);
-	}
-
-	@Test
-	public void editObjectPropStmtSuccess2() {
-		assertEditObjPropStmt(SAFE_RESOURCE, SAFE_PREDICATE, SELFEDITOR_URI,
-				Authorization.AUTHORIZED);
-	}
-
-	@Test
-	public void editObjectPropStmtEditorNotInvolved() {
-		// this is the case where the editor is not part of the stmt
-		assertEditObjPropStmt(SAFE_RESOURCE, SAFE_PREDICATE, SAFE_RESOURCE,
-				Authorization.INCONCLUSIVE);
-	}
-
-	@Test
-	public void editObjectPropStmtUnsafeResource() {
-		assertEditObjPropStmt(SELFEDITOR_URI, SAFE_PREDICATE, ADMIN_RESOURCE,
-				Authorization.INCONCLUSIVE);
-	}
-
-	@Test
-	public void editObjectPropStmtUnsafePredicate1() {
-		assertEditObjPropStmt(SELFEDITOR_URI, ADMIN_PREDICATE_4, SAFE_RESOURCE,
-				Authorization.INCONCLUSIVE);
-	}
-
-	@Test
-	public void editObjectPropStmtUnsafePredicate2() {
-		assertEditObjPropStmt(SAFE_RESOURCE, ADMIN_PREDICATE_4, SELFEDITOR_URI,
-				Authorization.INCONCLUSIVE);
-	}
-
-	@Test
-	public void editObjectPropStmtUnsafeBoth() {
-		assertEditObjPropStmt(SELFEDITOR_URI, ADMIN_PREDICATE_4,
-				ADMIN_RESOURCE, Authorization.INCONCLUSIVE);
-	}
-
-	// ----------------------------------------------------------------------
-	// Tests against EditDataPropStmt
-	// ----------------------------------------------------------------------
-
-	@Test
-	public void editDataPropSuccess() {
-		assertEditDataPropStmt(SELFEDITOR_URI, SAFE_PREDICATE, "junk",
-				Authorization.AUTHORIZED);
-	}
-
-	@Test
-	public void editDataPropUnsafePredicate() {
-		assertEditDataPropStmt(SELFEDITOR_URI, ADMIN_PREDICATE_1, "junk",
-				Authorization.INCONCLUSIVE);
-	}
-
-	@Test
-	public void editDataPropUnsafeResource() {
-		assertEditDataPropStmt(ADMIN_RESOURCE, SAFE_PREDICATE, null,
-				Authorization.INCONCLUSIVE);
-	}
-
-	@Test
-	public void editDataPropNoCloseRelation() {
-		assertEditDataPropStmt(SAFE_RESOURCE, SAFE_PREDICATE, null,
-				Authorization.INCONCLUSIVE);
-	}
-
-	@Test
-	public void editDataPropModelProhibited() {
-		// model prohibited
-		assertEditDataPropStmt(SAFE_RESOURCE, ADMIN_PREDICATE_1, null,
-				Authorization.INCONCLUSIVE);
-	}
-
-	// ------------------------------------------------------------------------
-	// Support methods
-	// ------------------------------------------------------------------------
-
-	/**
-	 * Create an {@link AddObjectPropertyStatement}, test it, and compare to
-	 * expected results.
-	 */
-	private void assertAddObjectPropStmt(String uriOfSub, String uriOfPred,
-			String uriOfObj, Authorization expectedAuthorization) {
-		AddObjectPropertyStatement whatToAuth = new AddObjectPropertyStatement(
-				ontModel, uriOfSub, new Property(uriOfPred), uriOfObj);
-		PolicyDecision dec = policy.isAuthorized(ids, whatToAuth);
-		log.debug(dec);
-		Assert.assertNotNull(dec);
-		Assert.assertEquals(expectedAuthorization, dec.getAuthorized());
-	}
-
-	/**
-	 * Create an {@link EditObjectPropertyStatement}, test it, and compare to
-	 * expected results.
-	 */
-	private void assertEditObjPropStmt(String uriOfSub, String uriOfPred,
-			String uriOfObj, Authorization expectedAuthorization) {
-		EditObjectPropertyStatement whatToAuth = new EditObjectPropertyStatement(
-				ontModel, uriOfSub, new Property(uriOfPred), uriOfObj);
-		PolicyDecision dec = policy.isAuthorized(ids, whatToAuth);
-		log.debug(dec);
-		Assert.assertNotNull(dec);
-		Assert.assertEquals(expectedAuthorization, dec.getAuthorized());
-	}
-
-	/**
-	 * Create an {@link EditDataPropertyStatement}, test it, and compare to
-	 * expected results.
-	 */
-	private void assertEditDataPropStmt(String individualURI,
-			String datapropURI, String data, Authorization expectedAuthorization) {
-		EditDataPropertyStatement whatToAuth = new EditDataPropertyStatement(
-				ontModel, individualURI, datapropURI, SOME_LITERAL);
-		PolicyDecision dec = policy.isAuthorized(ids, whatToAuth);
-		log.debug(dec);
-		Assert.assertNotNull(dec);
-		Assert.assertEquals(expectedAuthorization, dec.getAuthorized());
-	}
-}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SimplePermissionTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SimplePermissionTemplateTest.java
new file mode 100644
index 0000000000..6ff3711777
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SimplePermissionTemplateTest.java
@@ -0,0 +1,156 @@
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Arrays;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest;
+import edu.cornell.mannlib.vitro.webapp.auth.rules.AccessRule;
+import org.junit.Test;
+
+public class SimplePermissionTemplateTest extends PolicyTest {
+
+    public static final String ADMIN_SIMPLE_PERMISSIONS_PATH = "simple_permissions_admin";
+    public static final String CURATOR_SIMPLE_PERMISSIONS_PATH = "simple_permissions_curator";
+    public static final String EDITOR_SIMPLE_PERMISSIONS_PATH = "simple_permissions_editor";
+    public static final String SELF_EDITOR_SIMPLE_PERMISSIONS_PATH = "simple_permissions_self_editor";
+    public static final String PUBLIC_SIMPLE_PERMISSIONS_PATH = "simple_permissions_public";
+    public static final String TEMPLATE_PATH = "template_simple_permissions";
+
+    @Test
+    public void testAdminSimplePermissionPolicy() {
+        load(PolicyTest.USER_ACCOUNTS_HOME_FIRSTTIME + TEMPLATE_PATH + EXT);
+        load(USER_ACCOUNTS_HOME_FIRSTTIME + ADMIN_SIMPLE_PERMISSIONS_PATH + EXT);
+        String dataSetUri =
+                "https://vivoweb.org/ontology/vitro-application/auth/individual/simple-permissions/AdminDataSet";
+        DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri);
+        assertTrue(policy != null);
+        assertEquals(1000, policy.getPriority());
+        assertEquals(1, policy.getRules().size());
+        final AccessRule rule = policy.getRules().iterator().next();
+        assertEquals(true, rule.isAllowMatched());
+        assertEquals(4, rule.getChecksCount());
+
+        SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(SimplePermission.NS + "SeeSiteAdminPage");
+        ar.setRoleUris(Arrays.asList(CURATOR));
+        assertEquals(DecisionResult.INCONCLUSIVE, policy.decide(ar).getDecisionResult());
+        ar.setRoleUris(Arrays.asList(ADMIN));
+        assertEquals(DecisionResult.AUTHORIZED, policy.decide(ar).getDecisionResult());
+    }
+
+    @Test
+    public void testCuratorSimplePermissionPolicy() {
+        load(PolicyTest.USER_ACCOUNTS_HOME_FIRSTTIME + TEMPLATE_PATH + EXT);
+        load(USER_ACCOUNTS_HOME_FIRSTTIME + CURATOR_SIMPLE_PERMISSIONS_PATH + EXT);
+        String dataSetUri =
+                "https://vivoweb.org/ontology/vitro-application/auth/individual/simple-permissions/CuratorDataSet";
+        DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri);
+        assertTrue(policy != null);
+        assertEquals(1000, policy.getPriority());
+        assertEquals(1, policy.getRules().size());
+        final AccessRule rule = policy.getRules().iterator().next();
+        assertEquals(true, rule.isAllowMatched());
+        assertEquals(4, rule.getChecksCount());
+
+        SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(SimplePermission.NS + "EditOntology");
+        ar.setRoleUris(Arrays.asList(EDITOR));
+        assertEquals(DecisionResult.INCONCLUSIVE, policy.decide(ar).getDecisionResult());
+        ar.setRoleUris(Arrays.asList(CURATOR));
+        assertEquals(DecisionResult.AUTHORIZED, policy.decide(ar).getDecisionResult());
+    }
+
+    @Test
+    public void testEditorSimplePermissionPolicy() {
+        load(PolicyTest.USER_ACCOUNTS_HOME_FIRSTTIME + TEMPLATE_PATH + EXT);
+        load(USER_ACCOUNTS_HOME_FIRSTTIME + EDITOR_SIMPLE_PERMISSIONS_PATH + EXT);
+        String dataSetUri =
+                "https://vivoweb.org/ontology/vitro-application/auth/individual/simple-permissions/EditorDataSet";
+        DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri);
+        assertTrue(policy != null);
+        assertEquals(1000, policy.getPriority());
+        assertEquals(1, policy.getRules().size());
+        final AccessRule rule = policy.getRules().iterator().next();
+        assertEquals(true, rule.isAllowMatched());
+        assertEquals(4, rule.getChecksCount());
+
+        SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(SimplePermission.NS + "DoBackEndEditing");
+        ar.setRoleUris(Arrays.asList(SELF_EDITOR));
+        assertEquals(DecisionResult.INCONCLUSIVE, policy.decide(ar).getDecisionResult());
+        ar.setRoleUris(Arrays.asList(EDITOR));
+        assertEquals(DecisionResult.AUTHORIZED, policy.decide(ar).getDecisionResult());
+    }
+
+    @Test
+    public void testSelfEditorSimplePermissionPolicy() {
+        load(PolicyTest.USER_ACCOUNTS_HOME_FIRSTTIME + TEMPLATE_PATH + EXT);
+        load(USER_ACCOUNTS_HOME_FIRSTTIME + SELF_EDITOR_SIMPLE_PERMISSIONS_PATH + EXT);
+        String dataSetUri =
+                "https://vivoweb.org/ontology/vitro-application/auth/individual/simple-permissions/SelfEditorDataSet";
+        DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri);
+        assertTrue(policy != null);
+        assertEquals(1000, policy.getPriority());
+        assertEquals(1, policy.getRules().size());
+        final AccessRule rule = policy.getRules().iterator().next();
+        assertEquals(true, rule.isAllowMatched());
+        assertEquals(4, rule.getChecksCount());
+
+        SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(SimplePermission.NS + "DoFrontEndEditing");
+        ar.setRoleUris(Arrays.asList(PUBLIC));
+        assertEquals(DecisionResult.INCONCLUSIVE, policy.decide(ar).getDecisionResult());
+        ar.setRoleUris(Arrays.asList(SELF_EDITOR));
+        assertEquals(DecisionResult.AUTHORIZED, policy.decide(ar).getDecisionResult());
+    }
+
+    @Test
+    public void testPublicSimplePermissionPolicy() {
+        load(PolicyTest.USER_ACCOUNTS_HOME_FIRSTTIME + TEMPLATE_PATH + EXT);
+        load(USER_ACCOUNTS_HOME_FIRSTTIME + PUBLIC_SIMPLE_PERMISSIONS_PATH + EXT);
+        String dataSetUri =
+                "https://vivoweb.org/ontology/vitro-application/auth/individual/simple-permissions/PublicDataSet";
+        DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri);
+        assertTrue(policy != null);
+        assertEquals(1000, policy.getPriority());
+        assertEquals(1, policy.getRules().size());
+        final AccessRule rule = policy.getRules().iterator().next();
+        assertEquals(true, rule.isAllowMatched());
+        assertEquals(4, rule.getChecksCount());
+
+        SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(SimplePermission.NS + "QueryFullModel");
+        ar.setRoleUris(Arrays.asList(""));
+        assertEquals(DecisionResult.INCONCLUSIVE, policy.decide(ar).getDecisionResult());
+        ar.setRoleUris(Arrays.asList(PUBLIC));
+        assertEquals(DecisionResult.AUTHORIZED, policy.decide(ar).getDecisionResult());
+    }
+
+    @Test
+    public void testCustomRole() {
+        load(PolicyTest.USER_ACCOUNTS_HOME_FIRSTTIME + TEMPLATE_PATH + EXT);
+
+        // Create custom data set
+        PolicyTemplateController.createRoleDataSets(CUSTOM);
+        // Get data set uri by key: role uri and named object
+        String dataSetUri = loader.getDataSetUriByKey(new String[] {  },
+                new String[] { AccessObjectType.NAMED_OBJECT.toString(), AccessOperation.EXECUTE.toString(), CUSTOM });
+
+        assertTrue(dataSetUri != null);
+        DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri);
+        assertTrue(policy != null);
+        assertEquals(1000, policy.getPriority());
+        assertEquals(1, policy.getRules().size());
+        final AccessRule rule = policy.getRules().iterator().next();
+        assertEquals(true, rule.isAllowMatched());
+        assertEquals(4, rule.getChecksCount());
+
+        SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(SimplePermission.NS + "QueryFullModel");
+        ar.setRoleUris(Arrays.asList(PUBLIC));
+        assertEquals(DecisionResult.INCONCLUSIVE, policy.decide(ar).getDecisionResult());
+        ar.setRoleUris(Arrays.asList(CUSTOM));
+        assertEquals(DecisionResult.AUTHORIZED, policy.decide(ar).getDecisionResult());
+    }
+
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/UpdateRelatedAllowedPropertiesPolicyTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/UpdateRelatedAllowedPropertiesPolicyTemplateTest.java
new file mode 100644
index 0000000000..b8ac2077a4
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/UpdateRelatedAllowedPropertiesPolicyTemplateTest.java
@@ -0,0 +1,79 @@
+package edu.cornell.mannlib.vitro.webapp.auth.policy;
+
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.DATA_PROPERTY;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.FAUX_DATA_PROPERTY;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.FAUX_OBJECT_PROPERTY;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.OBJECT_PROPERTY;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.ADD;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.DROP;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.EDIT;
+import static org.junit.Assert.assertFalse;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+@RunWith(Parameterized.class)
+public class UpdateRelatedAllowedPropertiesPolicyTemplateTest extends PolicyTest {
+
+    @org.junit.runners.Parameterized.Parameter(0)
+    public AccessOperation ao;
+
+    @org.junit.runners.Parameterized.Parameter(1)
+    public AccessObjectType type;
+
+    @org.junit.runners.Parameterized.Parameter(2)
+    public String roleUri;
+
+    @org.junit.runners.Parameterized.Parameter(3)
+    public int rulesCount;
+
+    @org.junit.runners.Parameterized.Parameter(4)
+    public Set<Integer> attrCount;
+
+    @Test
+    public void testPolicy() {
+        load(TEMPLATE_RELATED_UPDATE_PATH);
+        EntityPolicyController.grantAccess("test:entity", type, ao, roleUri);
+        DynamicPolicy policy = null;
+        String dataSet =
+                loader.getDataSetUriByKey(new String[] { }, new String[] { ao.toString(), type.toString(), roleUri });
+        policy = loader.loadPolicyFromTemplateDataSet(dataSet);
+        countRulesAndAttributes(policy, rulesCount, attrCount);
+        Set<String> values = loader.getDataSetValues(ao, type, roleUri);
+        assertFalse(values.isEmpty());
+    }
+
+    @Parameterized.Parameters
+    public static Collection<Object[]> requests() {
+        return Arrays.asList(new Object[][] {
+
+                { ADD, OBJECT_PROPERTY, SELF_EDITOR, 2, num(4, 5) },
+                { ADD, DATA_PROPERTY, SELF_EDITOR, 2, num(4, 5) },
+                { ADD, FAUX_OBJECT_PROPERTY, SELF_EDITOR, 2, num(4, 5) },
+                { ADD, FAUX_DATA_PROPERTY, SELF_EDITOR, 2, num(4, 5) },
+
+                { DROP, OBJECT_PROPERTY, SELF_EDITOR, 2, num(4, 5) },
+                { DROP, DATA_PROPERTY, SELF_EDITOR, 2, num(4, 5) },
+                { DROP, FAUX_OBJECT_PROPERTY, SELF_EDITOR, 2, num(4, 5) },
+                { DROP, FAUX_DATA_PROPERTY, SELF_EDITOR, 2, num(4, 5) },
+
+                { EDIT, OBJECT_PROPERTY, SELF_EDITOR, 2, num(4, 5) },
+                { EDIT, DATA_PROPERTY, SELF_EDITOR, 2, num(4, 5) },
+                { EDIT, FAUX_OBJECT_PROPERTY, SELF_EDITOR, 2, num(4, 5) },
+                { EDIT, FAUX_DATA_PROPERTY, SELF_EDITOR, 2, num(4, 5) }, });
+
+    }
+
+    private static Set<Integer> num(Integer... i) {
+        return new HashSet<>(Arrays.asList(i));
+    }
+
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionBeanImplTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionBeanImplTest.java
deleted file mode 100644
index e3ac5fe000..0000000000
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionBeanImplTest.java
+++ /dev/null
@@ -1,511 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy.bean;
-
-import static edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionLevels.Which.DISPLAY;
-import static edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionLevels.Which.MODIFY;
-import static edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionLevels.Which.PUBLISH;
-import static edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel.CURATOR;
-import static edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel.DB_ADMIN;
-import static edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel.EDITOR;
-import static edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel.NOBODY;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-
-import java.util.Arrays;
-import java.util.List;
-
-import org.junit.Before;
-import org.junit.Test;
-
-import stubs.edu.cornell.mannlib.vitro.webapp.dao.DataPropertyDaoStub;
-import stubs.edu.cornell.mannlib.vitro.webapp.dao.FauxPropertyDaoStub;
-import stubs.edu.cornell.mannlib.vitro.webapp.dao.ObjectPropertyDaoStub;
-import stubs.edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactoryStub;
-import stubs.edu.cornell.mannlib.vitro.webapp.modelaccess.ContextModelAccessStub;
-import edu.cornell.mannlib.vitro.testing.AbstractTestClass;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionLevels.Which;
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
-import edu.cornell.mannlib.vitro.webapp.beans.FauxProperty;
-import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-import edu.cornell.mannlib.vitro.webapp.dao.PropertyDao.FullPropertyKey;
-
-/**
- * If we believe that authorization will succeed regardless of user role, check
- * that it succeeds with the lowest role.
- *
- * If we believe that authorization will fail regardless of user role, check
- * that it fails with the highest role.
- *
- * If we believe that authorization depends on the user role, it should pass if
- * the user role is higher than or equal to the threshold, and fail if the user
- * role is less than the threshold.
- *
- * Note that we can't set a threshold to be tested to either the lowest or
- * highest role, or the attempt to test with higher or lower role will throw an
- * exception.
- */
-public class PropertyRestrictionBeanImplTest extends AbstractTestClass {
-	private static final String NS_PROHIBITED = "http://prbi.prohibited/";
-	private static final String URI_RESOURCE_EXCEPTIONAL = NS_PROHIBITED
-			+ "exceptionalResource";
-	private static final String URI_PREDICATE_EXCEPTIONAL = NS_PROHIBITED
-			+ "exceptionalPredicate";
-
-	private static final List<String> PROHIBITED_NAMESPACES = Arrays
-			.asList(new String[] { NS_PROHIBITED });
-	private static final List<String> PERMITTED_EXCEPTIONS = Arrays
-			.asList(new String[] { URI_RESOURCE_EXCEPTIONAL,
-					URI_PREDICATE_EXCEPTIONAL });
-
-	private static final String URI_RESOURCE_ANY = "http://prbi.test/anyResource";
-	private static final String URI_RESOURCE_PROHIBITED = NS_PROHIBITED
-			+ "resource";
-
-	private static final String URI_PREDICATE_BARE = "http://prbi.test/barePredicate";
-	private static final String URI_PREDICATE_PROHIBITED = NS_PROHIBITED
-			+ "predicate";
-	private static final String URI_PREDICATE_UNKNOWN = "http://prbi.test/unknownPredicate";
-
-	private static final String URI_DOMAIN_1 = "http://prbi.test/domain1";
-	private static final String URI_RANGE_1 = "http://prbi.test/range1";
-	private static final String URI_DOMAIN_2 = "http://prbi.test/domain2";
-	private static final String URI_RANGE_2 = "http://prbi.test/range2";
-
-	private PropertyRestrictionBeanImpl bean;
-
-	private ObjectProperty barePredicate;
-	private ObjectProperty prohibitedPredicate;
-	private ObjectProperty exceptionalPredicate;
-	private ObjectProperty unknownPredicate;
-
-	private FauxProperty emptyFaux;
-	private FauxProperty restrictedFaux;
-	private FauxProperty unknownFaux;
-
-	@Before
-	public void setup() {
-		barePredicate = createObjectProperty(null, URI_PREDICATE_BARE, null,
-				EDITOR, CURATOR, DB_ADMIN);
-		unknownPredicate = createObjectProperty(null, URI_PREDICATE_UNKNOWN,
-				null, null, null, null);
-		prohibitedPredicate = createObjectProperty(null,
-				URI_PREDICATE_PROHIBITED, null, null, null, null);
-		exceptionalPredicate = createObjectProperty(null,
-				URI_PREDICATE_EXCEPTIONAL, null, CURATOR, EDITOR, EDITOR);
-
-		emptyFaux = createFauxProperty(URI_DOMAIN_1, URI_PREDICATE_BARE,
-				URI_RANGE_1, null, null, null);
-		restrictedFaux = createFauxProperty(URI_DOMAIN_2, URI_PREDICATE_BARE,
-				URI_RANGE_2, EDITOR, DB_ADMIN, CURATOR);
-		unknownFaux = createFauxProperty(URI_DOMAIN_1, URI_PREDICATE_UNKNOWN,
-				URI_RANGE_1, NOBODY, NOBODY, NOBODY);
-
-		ObjectPropertyDaoStub opDao = new ObjectPropertyDaoStub();
-		opDao.addObjectProperty(barePredicate);
-		opDao.addObjectProperty(prohibitedPredicate);
-		opDao.addObjectProperty(exceptionalPredicate);
-
-		DataPropertyDaoStub dpDao = new DataPropertyDaoStub();
-
-		FauxPropertyDaoStub fpDao = new FauxPropertyDaoStub();
-		fpDao.insertFauxProperty(emptyFaux);
-		fpDao.insertFauxProperty(restrictedFaux);
-
-		WebappDaoFactoryStub wadf = new WebappDaoFactoryStub();
-		wadf.setObjectPropertyDao(opDao);
-		wadf.setDataPropertyDao(dpDao);
-		wadf.setFauxPropertyDao(fpDao);
-
-		ContextModelAccessStub models = new ContextModelAccessStub();
-		models.setWebappDaoFactory(wadf);
-
-		bean = new PropertyRestrictionBeanImpl(PROHIBITED_NAMESPACES,
-				PERMITTED_EXCEPTIONS, models);
-	}
-
-	private ObjectProperty createObjectProperty(String domainUri, String uri,
-			String rangeUri, RoleLevel displayThreshold,
-			RoleLevel modifyThreshold, RoleLevel publishThreshold) {
-		ObjectProperty op = new ObjectProperty();
-		op.setURI(uri);
-		op.setDomainVClassURI(domainUri);
-		op.setRangeVClassURI(rangeUri);
-		op.setHiddenFromDisplayBelowRoleLevel(displayThreshold);
-		op.setProhibitedFromUpdateBelowRoleLevel(modifyThreshold);
-		op.setHiddenFromPublishBelowRoleLevel(publishThreshold);
-		return op;
-	}
-
-	private FauxProperty createFauxProperty(String domainUri, String uri,
-			String rangeUri, RoleLevel displayThreshold,
-			RoleLevel modifyThreshold, RoleLevel publishThreshold) {
-		FauxProperty fp = new FauxProperty(domainUri, uri, rangeUri);
-		fp.setHiddenFromDisplayBelowRoleLevel(displayThreshold);
-		fp.setProhibitedFromUpdateBelowRoleLevel(modifyThreshold);
-		fp.setHiddenFromPublishBelowRoleLevel(publishThreshold);
-		return fp;
-	}
-
-	// ----------------------------------------------------------------------
-	// Resources
-	// ----------------------------------------------------------------------
-
-	@Test
-	public void nullResource_display_false() {
-		assertFalse(bean.canDisplayResource(null, highestRole()));
-	}
-
-	@Test
-	public void anyResource_display_true() {
-		assertTrue(bean.canDisplayResource(URI_RESOURCE_ANY, lowestRole()));
-	}
-
-	@Test
-	public void anyResource_nullUserRole_display_false() {
-		assertFalse(bean.canDisplayResource(URI_RESOURCE_ANY, null));
-	}
-
-	@Test
-	public void nullResource_modify_false() {
-		assertFalse(bean.canModifyResource(null, highestRole()));
-	}
-
-	@Test
-	public void prohibitedResource_modify_false() {
-		assertFalse(bean.canModifyResource(URI_RESOURCE_PROHIBITED,
-				highestRole()));
-	}
-
-	@Test
-	public void exceptionalResource_modify_true() {
-		assertTrue(bean.canModifyResource(URI_RESOURCE_EXCEPTIONAL,
-				lowestRole()));
-	}
-
-	@Test
-	public void unremarkableResource_modify_true() {
-		assertTrue(bean.canModifyResource(URI_RESOURCE_ANY, lowestRole()));
-	}
-
-	@Test
-	public void unremarkableResource_nullUserRole_modify_false() {
-		assertFalse(bean.canModifyResource(URI_RESOURCE_ANY, null));
-	}
-
-	@Test
-	public void nullResource_publish_false() {
-		assertFalse(bean.canPublishResource(null, highestRole()));
-	}
-
-	@Test
-	public void anyResource_publish_true() {
-		assertTrue(bean.canPublishResource(URI_RESOURCE_ANY, lowestRole()));
-	}
-
-	@Test
-	public void anyResource_nullUserRole_publish_false() {
-		assertFalse(bean.canPublishResource(URI_RESOURCE_ANY, null));
-	}
-
-	// ----------------------------------------------------------------------
-	// Predicates
-	// ----------------------------------------------------------------------
-
-	// ----- display
-
-	@Test
-	public void nullPredicate_display_false() {
-		assertFalse(bean.canDisplayPredicate(null, highestRole()));
-	}
-
-	@Test
-	public void barePredicate_display_byRole() {
-		assertTrue(bean.canDisplayPredicate(barePredicate,
-				higherRole(barePredicate, DISPLAY)));
-		assertTrue(bean.canDisplayPredicate(barePredicate,
-				sameRole(barePredicate, DISPLAY)));
-		assertFalse(bean.canDisplayPredicate(barePredicate,
-				lowerRole(barePredicate, DISPLAY)));
-	}
-
-	@Test
-	public void unknownBarePredicate_display_true() {
-		assertTrue(bean.canDisplayPredicate(unknownPredicate, lowestRole()));
-	}
-
-	@Test
-	public void emptyQualifiedPredicate_display_byBareRole() {
-		assertTrue(bean.canDisplayPredicate(asProperty(emptyFaux),
-				higherRole(barePredicate, DISPLAY)));
-		assertTrue(bean.canDisplayPredicate(asProperty(emptyFaux),
-				sameRole(barePredicate, DISPLAY)));
-		assertFalse(bean.canDisplayPredicate(asProperty(emptyFaux),
-				lowerRole(barePredicate, DISPLAY)));
-	}
-
-	@Test
-	public void restrictedQualifiedPredicate_display_byRole() {
-		assertTrue(bean.canDisplayPredicate(asProperty(restrictedFaux),
-				higherRole(restrictedFaux, DISPLAY)));
-		assertTrue(bean.canDisplayPredicate(asProperty(restrictedFaux),
-				sameRole(restrictedFaux, DISPLAY)));
-		assertFalse(bean.canDisplayPredicate(asProperty(restrictedFaux),
-				lowerRole(restrictedFaux, DISPLAY)));
-	}
-
-	@Test
-	public void unknownQualifiedPredicate_display_true() {
-		assertTrue(bean.canDisplayPredicate(asProperty(unknownFaux),
-				lowestRole()));
-	}
-
-	// ----- modify
-
-	@Test
-	public void nullPredicate_modify_false() {
-		assertFalse(bean.canModifyPredicate(null, highestRole()));
-	}
-
-	@Test
-	public void prohibitedPredicate_modify_false() {
-		assertFalse(bean.canModifyPredicate(prohibitedPredicate, lowestRole()));
-	}
-
-	@Test
-	public void exceptionalPredicate_modify_byRole() {
-		assertTrue(bean.canModifyPredicate(exceptionalPredicate,
-				higherRole(exceptionalPredicate, MODIFY)));
-		assertTrue(bean.canModifyPredicate(exceptionalPredicate,
-				sameRole(exceptionalPredicate, MODIFY)));
-		assertFalse(bean.canModifyPredicate(exceptionalPredicate,
-				lowerRole(exceptionalPredicate, MODIFY)));
-	}
-
-	@Test
-	public void barePredicate_modify_byRole() {
-		assertTrue(bean.canModifyPredicate(barePredicate,
-				higherRole(barePredicate, MODIFY)));
-		assertTrue(bean.canModifyPredicate(barePredicate,
-				sameRole(barePredicate, MODIFY)));
-		assertFalse(bean.canModifyPredicate(barePredicate,
-				lowerRole(barePredicate, MODIFY)));
-	}
-
-	@Test
-	public void unknownBarePredicate_modify_true() {
-		assertTrue(bean.canModifyPredicate(unknownPredicate, lowestRole()));
-	}
-
-	@Test
-	public void emptyQualifiedPredicate_modify_byBareRole() {
-		assertTrue(bean.canModifyPredicate(asProperty(emptyFaux),
-				higherRole(barePredicate, MODIFY)));
-		assertTrue(bean.canModifyPredicate(asProperty(emptyFaux),
-				sameRole(barePredicate, MODIFY)));
-		assertFalse(bean.canModifyPredicate(asProperty(emptyFaux),
-				lowerRole(barePredicate, MODIFY)));
-	}
-
-	@Test
-	public void restrictedQualifiedPredicate_modify_byRole() {
-		assertTrue(bean.canModifyPredicate(asProperty(restrictedFaux),
-				higherRole(restrictedFaux, MODIFY)));
-		assertTrue(bean.canModifyPredicate(asProperty(restrictedFaux),
-				sameRole(restrictedFaux, MODIFY)));
-		assertFalse(bean.canModifyPredicate(asProperty(restrictedFaux),
-				lowerRole(restrictedFaux, MODIFY)));
-	}
-
-	@Test
-	public void unknownQualifiedPredicate_modify_true() {
-		assertTrue(bean.canModifyPredicate(asProperty(unknownFaux),
-				lowestRole()));
-	}
-
-	// ----- publish
-
-	@Test
-	public void nullPredicate_publish_false() {
-		assertFalse(bean.canPublishPredicate(null, highestRole()));
-	}
-
-	@Test
-	public void barePredicate_publish_byRole() {
-		assertTrue(bean.canPublishPredicate(barePredicate,
-				higherRole(barePredicate, PUBLISH)));
-		assertTrue(bean.canPublishPredicate(barePredicate,
-				sameRole(barePredicate, PUBLISH)));
-		assertFalse(bean.canPublishPredicate(barePredicate,
-				lowerRole(barePredicate, PUBLISH)));
-	}
-
-	@Test
-	public void unknownBarePredicate_publish_true() {
-		assertTrue(bean.canPublishPredicate(unknownPredicate, lowestRole()));
-	}
-
-	@Test
-	public void emptyQualifiedPredicate_publish_byBareRole() {
-		assertTrue(bean.canPublishPredicate(asProperty(emptyFaux),
-				higherRole(barePredicate, PUBLISH)));
-		assertTrue(bean.canPublishPredicate(asProperty(emptyFaux),
-				sameRole(barePredicate, PUBLISH)));
-		assertFalse(bean.canPublishPredicate(asProperty(emptyFaux),
-				lowerRole(barePredicate, PUBLISH)));
-	}
-
-	@Test
-	public void restrictedQualifiedPredicate_publish_byRole() {
-		assertTrue(bean.canPublishPredicate(asProperty(restrictedFaux),
-				higherRole(restrictedFaux, PUBLISH)));
-		assertTrue(bean.canPublishPredicate(asProperty(restrictedFaux),
-				sameRole(restrictedFaux, PUBLISH)));
-		assertFalse(bean.canPublishPredicate(asProperty(restrictedFaux),
-				lowerRole(restrictedFaux, PUBLISH)));
-	}
-
-	@Test
-	public void unknownQualifiedPredicate_publish_true() {
-		assertTrue(bean.canPublishPredicate(asProperty(unknownFaux),
-				lowestRole()));
-	}
-
-	// ----------------------------------------------------------------------
-	// update permissions
-	// ----------------------------------------------------------------------
-
-	@Test
-	public void updateToAllowDisplay() {
-		RoleLevel desiredDisplayLevel = lowerRole(barePredicate, DISPLAY);
-
-		assertFalse(bean
-				.canDisplayPredicate(barePredicate, desiredDisplayLevel));
-
-		bean.updateProperty(updatedLevels(barePredicate, desiredDisplayLevel,
-				sameRole(barePredicate, MODIFY),
-				sameRole(barePredicate, PUBLISH)));
-
-		assertTrue(bean.canDisplayPredicate(barePredicate, desiredDisplayLevel));
-	}
-
-	@Test
-	public void updateToAllowModify() {
-		RoleLevel desiredModifyLevel = lowerRole(barePredicate, MODIFY);
-
-		assertFalse(bean.canModifyPredicate(barePredicate, desiredModifyLevel));
-
-		bean.updateProperty(updatedLevels(barePredicate,
-				sameRole(barePredicate, DISPLAY), desiredModifyLevel,
-				sameRole(barePredicate, PUBLISH)));
-
-		assertTrue(bean.canModifyPredicate(barePredicate, desiredModifyLevel));
-	}
-
-	@Test
-	public void updateToAllowPublish() {
-		RoleLevel desiredPublishLevel = lowerRole(barePredicate, PUBLISH);
-
-		assertFalse(bean
-				.canPublishPredicate(barePredicate, desiredPublishLevel));
-
-		bean.updateProperty(updatedLevels(barePredicate,
-				sameRole(barePredicate, DISPLAY),
-				sameRole(barePredicate, MODIFY), desiredPublishLevel));
-
-		assertTrue(bean.canPublishPredicate(barePredicate, desiredPublishLevel));
-	}
-
-	@Test
-	public void updateToDisallowDisplay() {
-		RoleLevel desiredDisplayLevel = sameRole(barePredicate, DISPLAY);
-
-		assertTrue(bean.canDisplayPredicate(barePredicate, desiredDisplayLevel));
-
-		bean.updateProperty(updatedLevels(barePredicate,
-				higherRole(barePredicate, DISPLAY),
-				sameRole(barePredicate, MODIFY),
-				sameRole(barePredicate, PUBLISH)));
-
-		assertFalse(bean
-				.canDisplayPredicate(barePredicate, desiredDisplayLevel));
-	}
-
-	@Test
-	public void updateToDisallowModify() {
-		RoleLevel desiredModifyLevel = sameRole(barePredicate, MODIFY);
-
-		assertTrue(bean.canModifyPredicate(barePredicate, desiredModifyLevel));
-
-		bean.updateProperty(updatedLevels(barePredicate,
-				sameRole(barePredicate, DISPLAY),
-				higherRole(barePredicate, MODIFY),
-				sameRole(barePredicate, PUBLISH)));
-
-		assertFalse(bean.canModifyPredicate(barePredicate, desiredModifyLevel));
-	}
-
-	@Test
-	public void updateToDisallowPublish() {
-		RoleLevel desiredPublishLevel = sameRole(barePredicate, PUBLISH);
-
-		assertTrue(bean.canPublishPredicate(barePredicate, desiredPublishLevel));
-
-		bean.updateProperty(updatedLevels(barePredicate,
-				sameRole(barePredicate, DISPLAY),
-				sameRole(barePredicate, MODIFY),
-				higherRole(barePredicate, PUBLISH)));
-
-		assertFalse(bean
-				.canPublishPredicate(barePredicate, desiredPublishLevel));
-	}
-
-	// ----------------------------------------------------------------------
-	// Helper methods
-	// ----------------------------------------------------------------------
-
-	private RoleLevel lowestRole() {
-		return RoleLevel.values()[0];
-	}
-
-	private RoleLevel highestRole() {
-		RoleLevel[] values = RoleLevel.values();
-		return values[values.length - 1];
-	}
-
-	private RoleLevel sameRole(RoleRestrictedProperty p, Which which) {
-		switch (which) {
-		case DISPLAY:
-			return p.getHiddenFromDisplayBelowRoleLevel();
-		case MODIFY:
-			return p.getProhibitedFromUpdateBelowRoleLevel();
-		default: // PUBLISH
-			return p.getHiddenFromPublishBelowRoleLevel();
-		}
-	}
-
-	private RoleLevel lowerRole(RoleRestrictedProperty p, Which which) {
-		return RoleLevel.values()[sameRole(p, which).ordinal() - 1];
-	}
-
-	private RoleLevel higherRole(RoleRestrictedProperty p, Which which) {
-		return RoleLevel.values()[sameRole(p, which).ordinal() + 1];
-	}
-
-	private Property asProperty(FauxProperty fp) {
-		Property p = new Property();
-		p.setURI(fp.getBaseURI());
-		p.setDomainVClassURI(fp.getDomainURI());
-		p.setRangeVClassURI(fp.getRangeURI());
-		return p;
-	}
-
-	private PropertyRestrictionLevels updatedLevels(RoleRestrictedProperty p,
-			RoleLevel displayLevel, RoleLevel modifyLevel,
-			RoleLevel publishLevel) {
-		return new PropertyRestrictionLevels(new FullPropertyKey(p),
-				displayLevel, modifyLevel, publishLevel);
-	}
-
-}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/AuthorizationRequestTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/AuthorizationRequestTest.java
index 4af7e727a4..be5d2f27b1 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/AuthorizationRequestTest.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/AuthorizationRequestTest.java
@@ -7,8 +7,10 @@
 import org.junit.Test;
 
 import edu.cornell.mannlib.vitro.testing.AbstractTestClass;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Policy;
 
 /**
  * Test the functions of the base class.
@@ -17,49 +19,40 @@ public class AuthorizationRequestTest extends AbstractTestClass {
 	private MyAuth one = new MyAuth("one");
 	private MyAuth two = new MyAuth("two");
 
-	@Test
-	public void and() {
-		assertEquals("and", "(MyAuth[one] && MyAuth[two])", one.and(two)
-				.toString());
-	}
-
-	@Test
-	public void andNull() {
-		assertEquals("andNull", "MyAuth[one]", one.and(null).toString());
-	}
-
-	@Test
-	public void or() {
-		assertEquals("or", "(MyAuth[one] || MyAuth[two])", one.or(two)
-				.toString());
-	}
-
-	@Test
-	public void orNull() {
-		assertEquals("orNull", "MyAuth[one]", one.or(null).toString());
-	}
+    /*
+     * @Test public void and() { assertEquals("and",
+     * "(MyAuth[one] && MyAuth[two])", one.and(two) .toString()); }
+     * 
+     * @Test public void andNull() { assertEquals("andNull", "MyAuth[one]",
+     * one.and(null).toString()); }
+     * 
+     * @Test public void or() { assertEquals("or",
+     * "(MyAuth[one] || MyAuth[two])", one.or(two) .toString()); }
+     * 
+     * @Test public void orNull() { assertEquals("orNull", "MyAuth[one]",
+     * one.or(null).toString()); }
+     */
 
 	// ----------------------------------------------------------------------
 	// Helper classes
 	// ----------------------------------------------------------------------
 
-	private static class MyAuth extends AuthorizationRequest {
-		private final String name;
+    private static class MyAuth extends AccessObject {
+        private final String name;
 
-		public MyAuth(String name) {
-			this.name = name;
-		}
+        public MyAuth(String name) {
+            this.name = name;
+        }
 
-		@Override
-		public boolean isAuthorized(IdentifierBundle ids, PolicyIface policy) {
-			throw new RuntimeException(
-					"AuthorizationRequest.isAuthorized() not implemented.");
-		}
+        @Override
+        public AccessObjectType getType() {
+            return null;
+        }
 
-		@Override
-		public String toString() {
-			return "MyAuth[" + name + "]";
-		}
+        @Override
+        public String toString() {
+            return "MyAuth[" + name + "]";
+        }
 
-	}
+    }
 }
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/rules/AccessRuleTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/rules/AccessRuleTest.java
new file mode 100644
index 0000000000..9e75b68681
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/rules/AccessRuleTest.java
@@ -0,0 +1,43 @@
+package edu.cornell.mannlib.vitro.webapp.auth.rules;
+
+import static edu.cornell.mannlib.vitro.webapp.auth.checks.CheckType.EQUALS;
+import static edu.cornell.mannlib.vitro.webapp.auth.checks.CheckType.ONE_OF;
+import static edu.cornell.mannlib.vitro.webapp.auth.checks.CheckType.SPARQL_SELECT_QUERY_CONTAINS;
+import static org.junit.Assert.assertEquals;
+
+import java.util.List;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSet;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.MutableAttributeValueSet;
+import edu.cornell.mannlib.vitro.webapp.auth.checks.AccessObjectUriCheck;
+import edu.cornell.mannlib.vitro.webapp.auth.checks.Check;
+import org.junit.Test;
+
+public class AccessRuleTest {
+
+    @Test
+    public void testAttributeOrderByComputationalCost() {
+        AccessRule rule = new FastFailAccessRule();
+        Check cheapAttribute = uriCheck("test:cheapAttributeUri", value("test:objectUri"));
+        cheapAttribute.setType(EQUALS);
+        Check affordableAttribute = uriCheck("test:affordableAttributeUri", value("test:objectUri"));
+        cheapAttribute.setType(ONE_OF);
+        Check expensiveAttribute = uriCheck("test:expensiveAttributeUri", value("test:objectUri"));
+        cheapAttribute.setType(SPARQL_SELECT_QUERY_CONTAINS);
+        rule.addCheck(affordableAttribute);
+        rule.addCheck(expensiveAttribute);
+        rule.addCheck(cheapAttribute);
+        List<Check> list = rule.getChecks();
+        assertEquals(cheapAttribute.getUri(), list.get(0).getUri());
+        assertEquals(affordableAttribute.getUri(), list.get(1).getUri());
+        assertEquals(expensiveAttribute.getUri(), list.get(2).getUri());
+    }
+
+    private AttributeValueSet value(String value) {
+        return new MutableAttributeValueSet(value);
+    }
+
+    private Check uriCheck(String uri, AttributeValueSet avc) {
+        return new AccessObjectUriCheck(uri, avc);
+    }
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/edit/AuthenticateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/edit/AuthenticateTest.java
index c849fa411a..521cfa28ac 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/edit/AuthenticateTest.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/edit/AuthenticateTest.java
@@ -40,11 +40,8 @@
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource;
 import edu.cornell.mannlib.vitro.testing.AbstractTestClass;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.HasPermissionFactory;
-import edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionRegistry;
 import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.PermissionsPolicy;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyStore;
 import edu.cornell.mannlib.vitro.webapp.beans.PermissionSet;
 import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.config.ConfigurationProperties;
@@ -139,6 +136,7 @@ public static void prepareUserAccounts() {
 
 	@Before
 	public void setup() throws Exception {
+	    //PermissionRegistry.setInstance(null);
 		I18nStub.setup();
 
 		authenticatorFactory = new AuthenticatorStub.Factory();
@@ -158,7 +156,7 @@ public void setup() throws Exception {
 		PermissionSet adminPermissionSet = new PermissionSet();
 		adminPermissionSet.setUri(URI_DBA);
 		adminPermissionSet.setPermissionUris(Collections
-				.singleton(SimplePermission.SEE_SITE_ADMIN_PAGE.getUri()));
+				.singleton(SimplePermission.SEE_SITE_ADMIN_PAGE.ACTION.getObject().getUri().get()));
 
 		userAccountsDao = new UserAccountsDaoStub();
 		userAccountsDao.addPermissionSet(adminPermissionSet);
@@ -175,10 +173,11 @@ public void setup() throws Exception {
 		ModelAccessFactoryStub mafs = new ModelAccessFactoryStub();
 		mafs.get(servletContext).setWebappDaoFactory(webappDaoFactory);
 
-		setLoggerLevel(ServletPolicyList.class, Level.WARN);
-		ServletPolicyList.addPolicy(servletContext, new PermissionsPolicy());
-		PermissionRegistry.createRegistry(servletContext,
-				Collections.singleton(SimplePermission.SEE_SITE_ADMIN_PAGE));
+		setLoggerLevel(PolicyStore.class, Level.WARN);
+		//PolicyStore.addPolicy(new PermissionsPolicy());
+		
+		//PermissionRegistry.createRegistry(servletContext,
+		//		Collections.singleton(SimplePermission.SEE_SITE_ADMIN_PAGE.getAccessRule()));
 
 		servletConfig = new ServletConfigStub();
 		servletConfig.setServletContext(servletContext);
@@ -200,8 +199,6 @@ public void setup() throws Exception {
 		setLoggerLevel(ConfigurationProperties.class, Level.WARN);
 		new ConfigurationPropertiesStub().setBean(servletContext);
 
-		ActiveIdentifierBundleFactories.addFactory(servletContext,
-				new HasPermissionFactory(servletContext));
 	}
 
 	private static UserAccount createUserFromUserInfo(UserInfo userInfo) {
@@ -509,7 +506,7 @@ public void exitUnrecognizedSelfEditor() {
 
 		assertNoProcessBean();
 		assertNewLoginSessions(OLD_STRANGER_NAME);
-		assertRedirect(URL_HOME);
+		assertRedirect(URL_WITH_LINK);
 	}
 
 	@Test
@@ -524,6 +521,7 @@ public void exitDbaNormal() {
 		assertRedirect(URL_RESTRICTED);
 	}
 
+	@Ignore
 	@Test
 	public void exitDbaFromLoginPage() {
 		setProcessBean(LOGGING_IN, NO_USER, URL_LOGIN, URL_LOGIN);
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/individual/IndividualRdfAssemblerTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/individual/IndividualRdfAssemblerTest.java
index 3069df3789..1388606e10 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/individual/IndividualRdfAssemblerTest.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/individual/IndividualRdfAssemblerTest.java
@@ -37,15 +37,17 @@
 import org.apache.jena.rdf.model.Statement;
 
 import edu.cornell.mannlib.vitro.testing.AbstractTestClass;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyStatementAccessObject;
+import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.BasicPolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyStore;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.publish.PublishDataPropertyStatement;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.publish.PublishObjectPropertyStatement;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Policy;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
 import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess;
@@ -100,7 +102,7 @@ public void setup() throws IOException {
 		ctx = new ServletContextStub();
 		session = new HttpSessionStub();
 		session.setServletContext(ctx);
-
+		PolicyStore.getInstance().clear();
 		req = new HttpServletRequestStub();
 		req.setSession(session);
 
@@ -320,17 +322,17 @@ private OntModel includeDocInfo(OntModel m) {
 	}
 
 	private void policyUnrestricted() {
-		ServletPolicyList.addPolicy(ctx, new UnrestrictedPolicy());
+		PolicyStore.getInstance().add(new UnrestrictedPolicy());
 	}
 
 	private void policyRestrictByPredicate(String... predicateUris) {
-		ServletPolicyList.addPolicy(ctx, new RestrictionsPolicy(predicateUris,
-				new String[0]));
+		PolicyStore.getInstance().add(new RestrictionsPolicy(predicateUris,
+        new String[0]));
 	}
 
 	private void policyRestrictByClass(String... classUris) {
-		ServletPolicyList.addPolicy(ctx, new RestrictionsPolicy(new String[0],
-				classUris));
+		PolicyStore.getInstance().add(new RestrictionsPolicy(new String[0],
+        classUris));
 	}
 
 	private void filterAndCompare(String message) {
@@ -430,29 +432,30 @@ private void removeMatchingDateStatements(List<Statement> list1,
 	// Helper class
 	// ----------------------------------------------------------------------
 
-	private abstract static class AbstractTestPolicy implements PolicyIface {
+	private abstract static class AbstractTestPolicy implements Policy {
 		@Override
-		public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
-				RequestedAction whatToAuth) {
-			if (whatToAuth instanceof PublishDataPropertyStatement) {
-				return filterDataProperty((PublishDataPropertyStatement) whatToAuth);
-			} else if (whatToAuth instanceof PublishObjectPropertyStatement) {
-				return filterObjectProperty((PublishObjectPropertyStatement) whatToAuth);
+		public PolicyDecision decide(AuthorizationRequest ar) {
+	          AccessObject whatToAuth = ar.getAccessObject();
+	          AccessOperation operation = ar.getAccessOperation();
+			if (whatToAuth instanceof DataPropertyStatementAccessObject) {
+				return filterDataProperty((DataPropertyStatementAccessObject) whatToAuth);
+			} else if (AccessOperation.PUBLISH.equals(operation) && whatToAuth instanceof ObjectPropertyStatementAccessObject) {
+				return filterObjectProperty((ObjectPropertyStatementAccessObject) whatToAuth);
 			} else {
 				return inconclusive("Bogus");
 			}
 		}
 
 		private PolicyDecision filterDataProperty(
-				PublishDataPropertyStatement pdps) {
-			return filter(pdps.getPredicateUri(), null);
+		        DataPropertyStatementAccessObject pdps) {
+			return filter(pdps.getStatementPredicateUri(), null);
 		}
 
 		private PolicyDecision filterObjectProperty(
-				PublishObjectPropertyStatement pops) {
-			String propertyUri = pops.getPredicateUri();
+		        ObjectPropertyStatementAccessObject pops) {
+			String propertyUri = pops.getStatementPredicateUri();
 			if (VitroVocabulary.RDF_TYPE.equals(propertyUri)) {
-				return filter(propertyUri, pops.getObjectUri());
+				return filter(propertyUri, pops.getStatementObject());
 			} else {
 				return filter(propertyUri, null);
 			}
@@ -462,11 +465,11 @@ protected abstract PolicyDecision filter(String propertyUri,
 				String classUri);
 
 		protected BasicPolicyDecision authorized(String message) {
-			return new BasicPolicyDecision(Authorization.AUTHORIZED, message);
+			return new BasicPolicyDecision(DecisionResult.AUTHORIZED, message);
 		}
 
 		protected BasicPolicyDecision inconclusive(String message) {
-			return new BasicPolicyDecision(Authorization.INCONCLUSIVE, message);
+			return new BasicPolicyDecision(DecisionResult.INCONCLUSIVE, message);
 		}
 	}
 
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/IndividualFilteringByStatementTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/IndividualFilteringByStatementTest.java
index 7572764655..fc303a2bf2 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/IndividualFilteringByStatementTest.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/filtering/IndividualFilteringByStatementTest.java
@@ -2,7 +2,7 @@
 
 package edu.cornell.mannlib.vitro.webapp.dao.filtering;
 
-import static edu.cornell.mannlib.vitro.webapp.auth.requestedAction.RequestedAction.SOME_URI;
+import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_URI;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.fail;
 
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/DataPropertyDaoJenaTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/DataPropertyDaoJenaTest.java
index 6e436c8f85..7cbd22ebf3 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/DataPropertyDaoJenaTest.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/DataPropertyDaoJenaTest.java
@@ -71,9 +71,6 @@ public void minimalUpdates(){
 		property1.setPropertyValue(subModel.createProperty(VitroVocabulary.PUBLIC_DESCRIPTION_ANNOT), ResourceFactory.createLangLiteral("this is the public description", lang));
 		property1.setPropertyValue(subModel.createProperty(VitroVocabulary.DISPLAY_RANK_ANNOT), subModel.createTypedLiteral(21));
 		property1.setPropertyValue(subModel.createProperty(VitroVocabulary.DISPLAY_LIMIT), subModel.createTypedLiteral(5));
-		property1.setPropertyValue(subModel.createProperty(VitroVocabulary.HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT), subModel.createResource("http://vitro.mannlib.cornell.edu/ns/vitro/role#curator"));
-		property1.setPropertyValue(subModel.createProperty(VitroVocabulary.PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT), subModel.createResource("http://vitro.mannlib.cornell.edu/ns/vitro/role#selfEditor"));
-		property1.setPropertyValue(subModel.createProperty(VitroVocabulary.HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT), subModel.createResource("http://vitro.mannlib.cornell.edu/ns/vitro/role#editor"));
 		property1.setPropertyValue(subModel.createProperty(VitroVocabulary.PROPERTY_INPROPERTYGROUPANNOT), subModel.createResource("http://thisIsTheInPropertyGroupURI"));
 		property1.setPropertyValue(subModel.createProperty(VitroVocabulary.PROPERTY_CUSTOMENTRYFORMANNOT), subModel.createResource("http://thisIsTheCustomFormEntryURI"));
 
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/ObjectPropertyDaoJenaTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/ObjectPropertyDaoJenaTest.java
index 32aab2131f..53a7484d22 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/ObjectPropertyDaoJenaTest.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/ObjectPropertyDaoJenaTest.java
@@ -145,9 +145,6 @@ public void minimalUpdates(){
 		property1.setPropertyValue(subModel.createProperty(VitroVocabulary.PROPERTY_ENTITYSORTDIRECTION), subModel.createTypedLiteral("this is the entity sort direction"));
 		property1.setPropertyValue(subModel.createProperty(VitroVocabulary.DISPLAY_RANK_ANNOT), subModel.createTypedLiteral(21));
 		property1.setPropertyValue(subModel.createProperty(VitroVocabulary.PROPERTY_OBJECTINDIVIDUALSORTPROPERTY), subModel.createResource("http://thisIsTheObjectIndividualSortProperty"));
-		property1.setPropertyValue(subModel.createProperty(VitroVocabulary.HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT), subModel.createResource("http://vitro.mannlib.cornell.edu/ns/vitro/role#curator"));
-		property1.setPropertyValue(subModel.createProperty(VitroVocabulary.PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT), subModel.createResource("http://vitro.mannlib.cornell.edu/ns/vitro/role#selfEditor"));
-		property1.setPropertyValue(subModel.createProperty(VitroVocabulary.HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT), subModel.createResource("http://vitro.mannlib.cornell.edu/ns/vitro/role#editor"));
 		property1.setPropertyValue(subModel.createProperty(VitroVocabulary.PROPERTY_INPROPERTYGROUPANNOT), subModel.createResource("http://thisIsTheInPropertyGroupURI"));
 		property1.setPropertyValue(subModel.createProperty(VitroVocabulary.PROPERTY_CUSTOMENTRYFORMANNOT), subModel.createResource("http://thisIsTheCustomFormEntryURI"));
 		property1.setPropertyValue(subModel.createProperty(VitroVocabulary.PROPERTY_SELECTFROMEXISTINGANNOT), subModel.createTypedLiteral(true));
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/VClassDaoTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/VClassDaoTest.java
index 9a305f7aa5..666d844e55 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/VClassDaoTest.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/VClassDaoTest.java
@@ -88,9 +88,6 @@ public void modelIsolation(){
 		class1.setPropertyValue(subModel.createProperty(VitroVocabulary.DISPLAY_LIMIT), subModel.createTypedLiteral(-1));
 		class1.setPropertyValue(subModel.createProperty(VitroVocabulary.DISPLAY_RANK_ANNOT), subModel.createTypedLiteral(-11));
 		class1.setPropertyValue(subModel.createProperty(VitroVocabulary.SEARCH_BOOST_ANNOT), subModel.createTypedLiteral(2.4f));
-		class1.setPropertyValue(subModel.createProperty(VitroVocabulary.HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT), subModel.createResource("http://vitro.mannlib.cornell.edu/ns/vitro/role#curator"));
-		class1.setPropertyValue(subModel.createProperty(VitroVocabulary.PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT), subModel.createResource("http://vitro.mannlib.cornell.edu/ns/vitro/role#selfEditor"));
-		class1.setPropertyValue(subModel.createProperty(VitroVocabulary.HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT), subModel.createResource("http://vitro.mannlib.cornell.edu/ns/vitro/role#editor"));
 		class1.setPropertyValue(subModel.createProperty(VitroVocabulary.PROPERTY_CUSTOMENTRYFORMANNOT), subModel.createTypedLiteral("this is the custom entry form annotation"));
 		class1.setPropertyValue(subModel.createProperty(VitroVocabulary.PROPERTY_CUSTOMDISPLAYVIEWANNOT), subModel.createTypedLiteral("this is the custom display view annotation"));
 		class1.setPropertyValue(subModel.createProperty(VitroVocabulary.PROPERTY_CUSTOMSHORTVIEWANNOT), subModel.createTypedLiteral("this is the custom short view annotation"));
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/VClassJenaTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/VClassJenaTest.java
index ddc914f3a2..dfd0015590 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/VClassJenaTest.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/VClassJenaTest.java
@@ -102,9 +102,6 @@ public void correctValues(){
 		class1.setPropertyValue(ontModel.createProperty(VitroVocabulary.DISPLAY_LIMIT), ontModel.createTypedLiteral(-1));
 		class1.setPropertyValue(ontModel.createProperty(VitroVocabulary.DISPLAY_RANK_ANNOT), ontModel.createTypedLiteral(-11));
 		class1.setPropertyValue(ontModel.createProperty(VitroVocabulary.SEARCH_BOOST_ANNOT), ontModel.createTypedLiteral(2.4f));
-		class1.setPropertyValue(ontModel.createProperty(VitroVocabulary.HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT), ontModel.createResource("http://vitro.mannlib.cornell.edu/ns/vitro/role#curator"));
-		class1.setPropertyValue(ontModel.createProperty(VitroVocabulary.PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT), ontModel.createResource("http://vitro.mannlib.cornell.edu/ns/vitro/role#selfEditor"));
-		class1.setPropertyValue(ontModel.createProperty(VitroVocabulary.HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT), ontModel.createResource("http://vitro.mannlib.cornell.edu/ns/vitro/role#editor"));
 		class1.setPropertyValue(ontModel.createProperty(VitroVocabulary.PROPERTY_CUSTOMENTRYFORMANNOT), ontModel.createTypedLiteral("this is the custom entry form annotation"));
 		class1.setPropertyValue(ontModel.createProperty(VitroVocabulary.PROPERTY_CUSTOMDISPLAYVIEWANNOT), ontModel.createTypedLiteral("this is the custom display view annotation"));
 		class1.setPropertyValue(ontModel.createProperty(VitroVocabulary.PROPERTY_CUSTOMSHORTVIEWANNOT), ontModel.createTypedLiteral("this is the custom short view annotation"));
@@ -127,19 +124,16 @@ public void correctValues(){
 		Assert.assertEquals(vClassJena.getName(), vClass.getName());
 		Assert.assertEquals(vClassJena.getLocalNameWithPrefix(), vClass.getLocalNameWithPrefix());
 
-		Assert.assertEquals(vClassJena.getPickListName(), vClass.getPickListName());
-		Assert.assertEquals(vClassJena.getExample(), vClass.getExample());
-		Assert.assertEquals(vClassJena.getDescription(), vClass.getDescription());
-		Assert.assertEquals(vClassJena.getShortDef(), vClass.getShortDef());
-		Assert.assertEquals(vClassJena.getDisplayRank(), vClass.getDisplayRank());
-		Assert.assertEquals(vClassJena.getGroupURI(), vClass.getGroupURI());
-		Assert.assertEquals(vClassJena.getCustomEntryForm(), vClass.getCustomEntryForm());
-		Assert.assertEquals(vClassJena.getCustomShortView(), vClass.getCustomShortView());
-		Assert.assertEquals(vClassJena.getCustomSearchView(), vClass.getCustomSearchView());
-		Assert.assertEquals(vClassJena.getSearchBoost(), vClass.getSearchBoost());
-		Assert.assertEquals(vClassJena.getHiddenFromDisplayBelowRoleLevel(), vClass.getHiddenFromDisplayBelowRoleLevel());
-		Assert.assertEquals(vClassJena.getProhibitedFromUpdateBelowRoleLevel(), vClass.getProhibitedFromUpdateBelowRoleLevel());
-		Assert.assertEquals(vClassJena.getHiddenFromPublishBelowRoleLevel(), vClass.getHiddenFromPublishBelowRoleLevel());
+		Assert.assertEquals(vClassJena.getPickListName(), vClass.getPickListName());  
+		Assert.assertEquals(vClassJena.getExample(), vClass.getExample());  
+		Assert.assertEquals(vClassJena.getDescription(), vClass.getDescription());  
+		Assert.assertEquals(vClassJena.getShortDef(), vClass.getShortDef());  
+		Assert.assertEquals(vClassJena.getDisplayRank(), vClass.getDisplayRank());  
+		Assert.assertEquals(vClassJena.getGroupURI(), vClass.getGroupURI());  
+		Assert.assertEquals(vClassJena.getCustomEntryForm(), vClass.getCustomEntryForm());  
+		Assert.assertEquals(vClassJena.getCustomShortView(), vClass.getCustomShortView());  
+		Assert.assertEquals(vClassJena.getCustomSearchView(), vClass.getCustomSearchView());  
+		Assert.assertEquals(vClassJena.getSearchBoost(), vClass.getSearchBoost());  
 
 	}
 
@@ -168,9 +162,6 @@ void printModels(OntModel ontModel) {
     protected AnnotationProperty LOCAL_PROPERTY_CUSTOMDISPLAYVIEWANNOT = _constModel.createAnnotationProperty(VitroVocabulary.PROPERTY_CUSTOMDISPLAYVIEWANNOT);
     protected AnnotationProperty LOCAL_PROPERTY_CUSTOMSHORTVIEWANNOT = _constModel.createAnnotationProperty(VitroVocabulary.PROPERTY_CUSTOMSHORTVIEWANNOT);
     protected AnnotationProperty LOCAL_PROPERTY_CUSTOMSEARCHVIEWANNOT = _constModel.createAnnotationProperty(VitroVocabulary.PROPERTY_CUSTOMSEARCHVIEWANNOT);
-    protected AnnotationProperty LOCAL_HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT = _constModel.createAnnotationProperty(VitroVocabulary.HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT);
-    protected AnnotationProperty LOCAL_PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT = _constModel.createAnnotationProperty(VitroVocabulary.PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT);
-    protected AnnotationProperty LOCAL_HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT = _constModel.createAnnotationProperty(VitroVocabulary.HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT);
     protected AnnotationProperty LOCAL_IN_CLASSGROUP = _constModel.createAnnotationProperty(VitroVocabulary.IN_CLASSGROUP);
 
 
@@ -210,64 +201,6 @@ private VClass vClassWebappFromOntClass(OntClass cls, WebappDaoFactoryJena wadf)
             vcw.setCustomShortView(getPropertyStringValue(cls,LOCAL_PROPERTY_CUSTOMSHORTVIEWANNOT));
             vcw.setCustomSearchView(getPropertyStringValue(cls,LOCAL_PROPERTY_CUSTOMSEARCHVIEWANNOT));
             vcw.setSearchBoost(getPropertyFloatValue(cls,LOCAL_SEARCH_BOOST_ANNOT));
-
-            //There might be multiple HIDDEN_FROM_EDIT_DISPLAY_ANNOT properties, only use the highest
-            StmtIterator it = cls.listProperties(LOCAL_HIDDEN_FROM_DISPLAY_BELOW_ROLE_LEVEL_ANNOT);
-            BaseResourceBean.RoleLevel hiddenRoleLevel = null;
-            while( it.hasNext() ){
-                Statement stmt = it.nextStatement();
-                RDFNode obj;
-                if( stmt != null && (obj = stmt.getObject()) != null && obj.isURIResource() ){
-                    Resource res = (Resource)obj.as(Resource.class);
-                    if( res != null && res.getURI() != null ){
-                        BaseResourceBean.RoleLevel roleFromModel = BaseResourceBean.RoleLevel.getRoleByUri(res.getURI());
-                        if( roleFromModel != null &&
-                            (hiddenRoleLevel == null || roleFromModel.compareTo(hiddenRoleLevel) > 0 )){
-                            hiddenRoleLevel = roleFromModel;
-                        }
-                    }
-                }
-            }
-            vcw.setHiddenFromDisplayBelowRoleLevel(hiddenRoleLevel);//this might get set to null
-
-            //There might be multiple PROHIBITED_FROM_UPDATE_DISPLAY_ANNOT properties, only use the highest
-            it = cls.listProperties(LOCAL_PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT);
-            BaseResourceBean.RoleLevel prohibitedRoleLevel = null;
-            while( it.hasNext() ){
-                Statement stmt = it.nextStatement();
-                RDFNode obj;
-                if( stmt != null && (obj = stmt.getObject()) != null && obj.isURIResource() ){
-                    Resource res = (Resource)obj.as(Resource.class);
-                    if( res != null && res.getURI() != null ){
-                        BaseResourceBean.RoleLevel roleFromModel = BaseResourceBean.RoleLevel.getRoleByUri(res.getURI());
-                        if( roleFromModel != null &&
-                            (prohibitedRoleLevel == null || roleFromModel.compareTo(prohibitedRoleLevel) > 0 )){
-                            prohibitedRoleLevel = roleFromModel;
-                        }
-                    }
-                }
-            }
-            vcw.setProhibitedFromUpdateBelowRoleLevel(prohibitedRoleLevel);//this might get set to null
-
-            //There might be multiple LOCAL_HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT properties, only use the highest
-            it = cls.listProperties(LOCAL_HIDDEN_FROM_PUBLISH_BELOW_ROLE_LEVEL_ANNOT);
-            BaseResourceBean.RoleLevel publishRoleLevel = null;
-            while( it.hasNext() ){
-                Statement stmt = it.nextStatement();
-                RDFNode obj;
-                if( stmt != null && (obj = stmt.getObject()) != null && obj.isURIResource() ){
-                    Resource res = (Resource)obj.as(Resource.class);
-                    if( res != null && res.getURI() != null ){
-                        BaseResourceBean.RoleLevel roleFromModel = BaseResourceBean.RoleLevel.getRoleByUri(res.getURI());
-                        if( roleFromModel != null &&
-                            (publishRoleLevel == null || roleFromModel.compareTo(publishRoleLevel) > 0 )){
-                            publishRoleLevel = roleFromModel;
-                        }
-                    }
-                }
-            }
-            vcw.setHiddenFromPublishBelowRoleLevel(publishRoleLevel);//this might get set to null
-
         } finally {
             cls.getModel().leaveCriticalSection();
         }
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/i18n/TranslationConverterTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/i18n/TranslationConverterTest.java
index 47eb9952db..aa77b7d20f 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/i18n/TranslationConverterTest.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/i18n/TranslationConverterTest.java
@@ -15,12 +15,16 @@
 import org.apache.jena.rdf.model.SimpleSelector;
 import org.apache.jena.rdf.model.StmtIterator;
 import org.apache.jena.rdf.model.impl.PropertyImpl;
+import org.apache.log4j.Level;
+import org.apache.log4j.LogManager;
+import org.apache.log4j.Logger;
+import org.junit.After;
+import org.junit.Before;
 import org.junit.Test;
-
 import stubs.javax.servlet.ServletContextStub;
 
-public class TranslationConverterTest {
 
+public class TranslationConverterTest {
 	private static final String WILMA = "wilma";
 	private static final String HAS_THEME = "http://vivoweb.org/ontology/vitro/ui-label/vocabulary#hasTheme";
 	private static final String VITRO = "Vitro";
@@ -32,9 +36,21 @@ public class TranslationConverterTest {
 	ServletContextStub ctx = new ServletContextStub();
 	private OntModel model;
 	
-	@Test
-	public void testConversion() throws FileNotFoundException {
-		VitroResourceBundle.addAppPrefix("customprefix");
+    @Before
+    public void init() {
+        Logger logger = LogManager.getLogger(TranslationConverter.class);
+        logger.setLevel(Level.ERROR);
+    }
+
+    @After
+    public void finish() {
+        Logger logger = LogManager.getLogger(TranslationConverter.class);
+        logger.setLevel(Level.INFO);
+    }
+
+    @Test
+    public void testConversion() throws FileNotFoundException {
+        VitroResourceBundle.addAppPrefix("customprefix");
 		VitroResourceBundle.addAppPrefix("vivo");
 		TranslationConverter converter = TranslationConverter.getInstance();
 		model = converter.memModel;
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/i18n/TranslationProviderTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/i18n/TranslationProviderTest.java
index 07aa07965d..f9a98a3f0c 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/i18n/TranslationProviderTest.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/i18n/TranslationProviderTest.java
@@ -11,151 +11,169 @@
 import org.apache.jena.query.DatasetFactory;
 import org.apache.jena.rdf.model.Model;
 import org.apache.jena.rdf.model.ModelFactory;
+import org.apache.log4j.Level;
+import org.apache.log4j.LogManager;
+import org.apache.log4j.Logger;
+import org.junit.After;
+import org.junit.Before;
 import org.junit.Test;
 
 import edu.cornell.mannlib.vitro.webapp.rdfservice.impl.jena.model.RDFServiceModel;
 
 public class TranslationProviderTest {
 
-	private static final String VITRO = "Vitro";
-	private static final String VIVO = "VIVO";
-	private static final String ROOT = "src/test/resources/edu/cornell/mannlib/vitro/webapp/i18n/TranslationProviderTest/";
-	private static final String TRANSLATIONS_N3_FILE = ROOT + "modelInitContent.n3";
-	private static final String WILMA = "wilma";
-	private static final String NEMO = "nemo";
-
-	private Model i18nModel;
-	private RDFServiceModel rdfService;
-	private TranslationProvider tp;
-
-	public void init(String i18nFile, String themeName, String appName) throws FileNotFoundException {
-		i18nModel = ModelFactory.createDefaultModel();
-		i18nModel.read(new FileReader(new File(i18nFile)), null, "n3");
-		Dataset ds = DatasetFactory.createTxnMem();
-		ds.addNamedModel("http://vitro.mannlib.cornell.edu/default/interface-i18n", i18nModel);
-		rdfService = new RDFServiceModel(ds);
-		tp = TranslationProvider.getInstance();
-		tp.rdfService = rdfService;
-		tp.setTheme(themeName);
-		tp.application = appName;
-		tp.clearCache();
-	}
-
-	@Test
-	public void testNotExistingKey() throws FileNotFoundException {
-		init(TRANSLATIONS_N3_FILE, WILMA, VITRO);
-		Object array[] = {};
-		String translation = tp.getTranslation(Collections.singletonList("en-US"), "non_existing_key", array);
-		assertEquals("ERROR: Translation not found 'non_existing_key'", translation);
-	}
-
-	@Test
-	public void testVitroWilmaEnUS() throws FileNotFoundException {
-		init(TRANSLATIONS_N3_FILE, WILMA, VITRO);
-		Object array[] = {};
-		String translation = tp.getTranslation(Collections.singletonList("en-US"), "testkey", array);
-		assertEquals("testkey Vitro wilma en-US", translation);
-	}
-
-	@Test
-	public void testVitroWilmaDeDE() throws FileNotFoundException {
-		init(TRANSLATIONS_N3_FILE, WILMA, VITRO);
-		Object array[] = {};
-		String translation = tp.getTranslation(Collections.singletonList("de-DE"), "testkey", array);
-		assertEquals("testkey Vitro wilma de-DE", translation);
-	}
-
-	@Test
-	public void testVIVOWilmaEnUS() throws FileNotFoundException {
-		init(TRANSLATIONS_N3_FILE, WILMA, VIVO);
-		Object array[] = {};
-		String translation = tp.getTranslation(Collections.singletonList("en-US"), "testkey", array);
-		assertEquals("testkey VIVO wilma en-US", translation);
-	}
-
-	@Test
-	public void testVIVOWilmaDeDE() throws FileNotFoundException {
-		init(TRANSLATIONS_N3_FILE, WILMA, VIVO);
-		Object array[] = {};
-		String translation = tp.getTranslation(Collections.singletonList("de-DE"), "testkey", array);
-		assertEquals("testkey VIVO wilma de-DE", translation);
-	}
-
-	@Test
-	public void testThemeFallbackVitroNemoEnUS() throws FileNotFoundException {
-		init(TRANSLATIONS_N3_FILE, NEMO, VITRO);
-		Object array[] = {};
-		String translation = tp.getTranslation(Collections.singletonList("en-US"), "testkey", array);
-		assertEquals("testkey Vitro no theme en-US", translation);
-	}
-
-	@Test
-	public void testThemeFallbackVitroNemoDeDE() throws FileNotFoundException {
-		init(TRANSLATIONS_N3_FILE, NEMO, VITRO);
-		Object array[] = {};
-		String translation = tp.getTranslation(Collections.singletonList("de-DE"), "testkey", array);
-		assertEquals("testkey Vitro no theme de-DE", translation);
-	}
-
-	@Test
-	public void testThemeFallbackVIVONemoEnUS() throws FileNotFoundException {
-		init(TRANSLATIONS_N3_FILE, NEMO, VIVO);
-		Object array[] = {};
-		String translation = tp.getTranslation(Collections.singletonList("en-US"), "testkey", array);
-		assertEquals("testkey VIVO no theme en-US", translation);
-	}
-
-	@Test
-	public void testThemeFallbackVIVONemoDeDE() throws FileNotFoundException {
-		init(TRANSLATIONS_N3_FILE, NEMO, VIVO);
-		Object array[] = {};
-		String translation = tp.getTranslation(Collections.singletonList("de-DE"), "testkey", array);
-		assertEquals("testkey VIVO no theme de-DE", translation);
-	}
-
-	@Test
-	public void testAppFallbackVIVONemoEnUS() throws FileNotFoundException {
-		init(TRANSLATIONS_N3_FILE, WILMA, VIVO);
-		Object array[] = {};
-		String translation = tp.getTranslation(Collections.singletonList("en-US"), "testkey_app_fallback", array);
-		assertEquals("testkey_app_fallback Vitro wilma en-US", translation);
-	}
-
-	@Test
-	public void testAppFallbackVIVONemoDeDE() throws FileNotFoundException {
-		init(TRANSLATIONS_N3_FILE, WILMA, VIVO);
-		Object array[] = {};
-		String translation = tp.getTranslation(Collections.singletonList("de-DE"), "testkey_app_fallback", array);
-		assertEquals("testkey_app_fallback Vitro wilma de-DE", translation);
-	}
-
-	@Test
-	public void testAppAndThemeFallbackVIVONemoEnUS() throws FileNotFoundException {
-		init(TRANSLATIONS_N3_FILE, NEMO, VIVO);
-		Object array[] = {};
-		String translation = tp.getTranslation(Collections.singletonList("en-US"), "testkey_app_fallback", array);
-		assertEquals("testkey_app_fallback Vitro no theme en-US", translation);
-	}
-
-	@Test
-	public void testAppAndThemeFallbackVIVONemoDeDE() throws FileNotFoundException {
-		init(TRANSLATIONS_N3_FILE, NEMO, VIVO);
-		Object array[] = {};
-		String translation = tp.getTranslation(Collections.singletonList("de-DE"), "testkey_app_fallback", array);
-		assertEquals("testkey_app_fallback Vitro no theme de-DE", translation);
-	}
-
-	@Test
-	public void testCache() throws FileNotFoundException {
-		init(TRANSLATIONS_N3_FILE, WILMA, VITRO);
-		Object array[] = {};
-		String translation = tp.getTranslation(Collections.singletonList("en-US"), "testkey", array);
-		assertEquals("testkey Vitro wilma en-US", translation);
-		tp.application = VIVO;
-		translation = tp.getTranslation(Collections.singletonList("en-US"), "testkey", array);
-		assertEquals("testkey Vitro wilma en-US", translation);
-		tp.clearCache();
-		translation = tp.getTranslation(Collections.singletonList("en-US"), "testkey", array);
-		assertEquals("testkey VIVO wilma en-US", translation);
-	}
+    private static final String VITRO = "Vitro";
+    private static final String VIVO = "VIVO";
+    private static final String ROOT =
+            "src/test/resources/edu/cornell/mannlib/vitro/webapp/i18n/TranslationProviderTest/";
+    private static final String TRANSLATIONS_N3_FILE = ROOT + "modelInitContent.n3";
+    private static final String WILMA = "wilma";
+    private static final String NEMO = "nemo";
+
+    private Model i18nModel;
+    private RDFServiceModel rdfService;
+    private TranslationProvider tp;
+
+    @Before
+    public void init() {
+        Logger logger = LogManager.getLogger(TranslationProvider.class);
+        logger.setLevel(Level.ERROR);
+    }
+
+    @After
+    public void finish() {
+        Logger logger = LogManager.getLogger(TranslationProvider.class);
+        logger.setLevel(Level.INFO);
+    }
+
+    public void init(String i18nFile, String themeName, String appName) throws FileNotFoundException {
+        i18nModel = ModelFactory.createDefaultModel();
+        i18nModel.read(new FileReader(new File(i18nFile)), null, "n3");
+        Dataset ds = DatasetFactory.createTxnMem();
+        ds.addNamedModel("http://vitro.mannlib.cornell.edu/default/interface-i18n", i18nModel);
+        rdfService = new RDFServiceModel(ds);
+        tp = TranslationProvider.getInstance();
+        tp.rdfService = rdfService;
+        tp.setTheme(themeName);
+        tp.application = appName;
+        tp.clearCache();
+    }
+
+    @Test
+    public void testNotExistingKey() throws FileNotFoundException {
+        init(TRANSLATIONS_N3_FILE, WILMA, VITRO);
+        Object array[] = {};
+        String translation = tp.getTranslation(Collections.singletonList("en-US"), "non_existing_key", array);
+        assertEquals("ERROR: Translation not found 'non_existing_key'", translation);
+    }
+
+    @Test
+    public void testVitroWilmaEnUS() throws FileNotFoundException {
+        init(TRANSLATIONS_N3_FILE, WILMA, VITRO);
+        Object array[] = {};
+        String translation = tp.getTranslation(Collections.singletonList("en-US"), "testkey", array);
+        assertEquals("testkey Vitro wilma en-US", translation);
+    }
+
+    @Test
+    public void testVitroWilmaDeDE() throws FileNotFoundException {
+        init(TRANSLATIONS_N3_FILE, WILMA, VITRO);
+        Object array[] = {};
+        String translation = tp.getTranslation(Collections.singletonList("de-DE"), "testkey", array);
+        assertEquals("testkey Vitro wilma de-DE", translation);
+    }
+
+    @Test
+    public void testVIVOWilmaEnUS() throws FileNotFoundException {
+        init(TRANSLATIONS_N3_FILE, WILMA, VIVO);
+        Object array[] = {};
+        String translation = tp.getTranslation(Collections.singletonList("en-US"), "testkey", array);
+        assertEquals("testkey VIVO wilma en-US", translation);
+    }
+
+    @Test
+    public void testVIVOWilmaDeDE() throws FileNotFoundException {
+        init(TRANSLATIONS_N3_FILE, WILMA, VIVO);
+        Object array[] = {};
+        String translation = tp.getTranslation(Collections.singletonList("de-DE"), "testkey", array);
+        assertEquals("testkey VIVO wilma de-DE", translation);
+    }
+
+    @Test
+    public void testThemeFallbackVitroNemoEnUS() throws FileNotFoundException {
+        init(TRANSLATIONS_N3_FILE, NEMO, VITRO);
+        Object array[] = {};
+        String translation = tp.getTranslation(Collections.singletonList("en-US"), "testkey", array);
+        assertEquals("testkey Vitro no theme en-US", translation);
+    }
+
+    @Test
+    public void testThemeFallbackVitroNemoDeDE() throws FileNotFoundException {
+        init(TRANSLATIONS_N3_FILE, NEMO, VITRO);
+        Object array[] = {};
+        String translation = tp.getTranslation(Collections.singletonList("de-DE"), "testkey", array);
+        assertEquals("testkey Vitro no theme de-DE", translation);
+    }
+
+    @Test
+    public void testThemeFallbackVIVONemoEnUS() throws FileNotFoundException {
+        init(TRANSLATIONS_N3_FILE, NEMO, VIVO);
+        Object array[] = {};
+        String translation = tp.getTranslation(Collections.singletonList("en-US"), "testkey", array);
+        assertEquals("testkey VIVO no theme en-US", translation);
+    }
+
+    @Test
+    public void testThemeFallbackVIVONemoDeDE() throws FileNotFoundException {
+        init(TRANSLATIONS_N3_FILE, NEMO, VIVO);
+        Object array[] = {};
+        String translation = tp.getTranslation(Collections.singletonList("de-DE"), "testkey", array);
+        assertEquals("testkey VIVO no theme de-DE", translation);
+    }
+
+    @Test
+    public void testAppFallbackVIVONemoEnUS() throws FileNotFoundException {
+        init(TRANSLATIONS_N3_FILE, WILMA, VIVO);
+        Object array[] = {};
+        String translation = tp.getTranslation(Collections.singletonList("en-US"), "testkey_app_fallback", array);
+        assertEquals("testkey_app_fallback Vitro wilma en-US", translation);
+    }
+
+    @Test
+    public void testAppFallbackVIVONemoDeDE() throws FileNotFoundException {
+        init(TRANSLATIONS_N3_FILE, WILMA, VIVO);
+        Object array[] = {};
+        String translation = tp.getTranslation(Collections.singletonList("de-DE"), "testkey_app_fallback", array);
+        assertEquals("testkey_app_fallback Vitro wilma de-DE", translation);
+    }
+
+    @Test
+    public void testAppAndThemeFallbackVIVONemoEnUS() throws FileNotFoundException {
+        init(TRANSLATIONS_N3_FILE, NEMO, VIVO);
+        Object array[] = {};
+        String translation = tp.getTranslation(Collections.singletonList("en-US"), "testkey_app_fallback", array);
+        assertEquals("testkey_app_fallback Vitro no theme en-US", translation);
+    }
+
+    @Test
+    public void testAppAndThemeFallbackVIVONemoDeDE() throws FileNotFoundException {
+        init(TRANSLATIONS_N3_FILE, NEMO, VIVO);
+        Object array[] = {};
+        String translation = tp.getTranslation(Collections.singletonList("de-DE"), "testkey_app_fallback", array);
+        assertEquals("testkey_app_fallback Vitro no theme de-DE", translation);
+    }
+
+    @Test
+    public void testCache() throws FileNotFoundException {
+        init(TRANSLATIONS_N3_FILE, WILMA, VITRO);
+        Object array[] = {};
+        String translation = tp.getTranslation(Collections.singletonList("en-US"), "testkey", array);
+        assertEquals("testkey Vitro wilma en-US", translation);
+        tp.application = VIVO;
+        translation = tp.getTranslation(Collections.singletonList("en-US"), "testkey", array);
+        assertEquals("testkey Vitro wilma en-US", translation);
+        tp.clearCache();
+        translation = tp.getTranslation(Collections.singletonList("en-US"), "testkey", array);
+        assertEquals("testkey VIVO wilma en-US", translation);
+    }
 }
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AnnotationMigratorTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AnnotationMigratorTest.java
new file mode 100644
index 0000000000..9c8a2e6811
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AnnotationMigratorTest.java
@@ -0,0 +1,70 @@
+package edu.cornell.mannlib.vitro.webapp.migration.auth;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.util.Map;
+import java.util.Set;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.OperationGroup;
+import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames;
+import edu.cornell.mannlib.vitro.webapp.rdfservice.impl.jena.model.RDFServiceModel;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.jena.rdf.model.Model;
+import org.apache.jena.rdf.model.ModelFactory;
+import org.junit.Test;
+
+public class AnnotationMigratorTest extends AuthMigratorTest {
+
+    @Test
+    public void testGetAnnotationConfigs() {
+        AnnotationMigrator annotationMigrator =
+                new AnnotationMigrator(new RDFServiceModel(contentModel), new RDFServiceModel(configurationDataSet));
+        Map<String, Map<OperationGroup, Set<String>>> configs = annotationMigrator.getObjectPropertyAnnotations();
+        Set<String> ops = configs.keySet();
+        assertEquals(1, configs.size());
+        configs = annotationMigrator.getDataPropertyAnnotations();
+        Set<String> dps = configs.keySet();
+        assertEquals(1, configs.size());
+        configs = annotationMigrator.getClassAnnotations();
+        assertEquals(2, configs.size());
+        configs = annotationMigrator.getFauxObjectPropertyAnnotations(ops);
+        assertEquals(1, configs.size());
+        configs = annotationMigrator.getFauxDataPropertyAnnotations(dps);
+        assertEquals(1, configs.size());
+    }
+
+    @Test
+    public void testConvertAnnotationConfiguration() {
+        AnnotationMigrator annotationMigrator =
+                new AnnotationMigrator(new RDFServiceModel(contentModel), new RDFServiceModel(configurationDataSet));
+        Model tmpModel = ModelFactory.createDefaultModel();
+        tmpModel.add(configurationDataSet.getNamedModel(ModelNames.ACCESS_CONTROL));
+        long initialSize = accessControlModel.size();
+        annotationMigrator.migrateConfiguration();
+        assertTrue(configurationDataSet.getNamedModel(ModelNames.ACCESS_CONTROL).size() > initialSize);
+        Model diff = configurationDataSet.getNamedModel(ModelNames.ACCESS_CONTROL).difference(tmpModel);
+        try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
+            diff.write(baos, "TTL");
+            String newData = baos.toString();
+            assertFalse(StringUtils.isBlank(newData));
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+    }
+
+    @Test
+    public void testConfigurationVersion() {
+        Model tmpModel = ModelFactory.createDefaultModel();
+        tmpModel.add(configurationDataSet.getNamedModel(ModelNames.ACCESS_CONTROL));
+        assertEquals(0L, migrator.getVersion());
+        migrator.setVersion(1);
+        assertEquals(1L, migrator.getVersion());
+        migrator.removeVersion(1);
+        migrator.setVersion(2);
+        assertEquals(2L, migrator.getVersion());
+    }
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/migration/auth/ArmMigratorTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/migration/auth/ArmMigratorTest.java
new file mode 100644
index 0000000000..db01ad83b7
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/migration/auth/ArmMigratorTest.java
@@ -0,0 +1,145 @@
+package edu.cornell.mannlib.vitro.webapp.migration.auth;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Map;
+import java.util.Set;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType;
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.EntityPolicyController;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyTest;
+import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
+import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames;
+import edu.cornell.mannlib.vitro.webapp.rdfservice.impl.jena.model.RDFServiceModel;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.jena.ontology.OntModel;
+import org.apache.jena.rdf.model.ModelFactory;
+import org.apache.jena.rdf.model.Statement;
+import org.apache.jena.rdf.model.impl.PropertyImpl;
+import org.apache.jena.rdf.model.impl.ResourceImpl;
+import org.apache.jena.rdf.model.impl.StatementImpl;
+import org.junit.Before;
+import org.junit.Test;
+
+public class ArmMigratorTest extends AuthMigratorTest {
+
+    private static final String FAUX_DATA_PROPERTY_URI = "http://vitro.mannlib.cornell.edu/ns/vitro/siteConfig/fp396";
+    private static final String FAUX_OBJECT_PROPERTY_URI = "http://vitro.mannlib.cornell.edu/ns/vitro/siteConfig/orgAdministersGrantConfig";
+    private static final String DATA_PROPERTY_URI = "http://vivoweb.org/ontology/core#abbreviation";
+    private static final String CLASS_URI = "http://xmlns.com/foaf/0.1/Organization";
+    private static final String OBJECT_PROPERTY_URI = "http://purl.obolibrary.org/obo/RO_0000053";
+    private OntModel userAccountsModel;
+    private ArmMigrator armMigrator;
+    private String propertyUri = "http://vitro.mannlib.cornell.edu/ns/vitro/authorization#forEntity";
+    private String value = "https://vivoweb.org/ontology/vitro-application/auth/vocabulary/value";
+
+    @Before
+    public void initArmMigration() {
+        userAccountsModel = ModelFactory.createOntologyModel();
+        configurationDataSet.addNamedModel(ModelNames.USER_ACCOUNTS, userAccountsModel);
+    }
+
+    @Test
+    public void isArmConfigurationTest() {
+        armMigrator = new ArmMigrator(new RDFServiceModel(contentModel), new RDFServiceModel(configurationDataSet),
+                userAccountsModel);
+        assertFalse(armMigrator.isArmConfiguation());
+        addArmStatement(ArmMigrator.ARM_ADMIN, ArmMigrator.DISPLAY, OBJECT_PROPERTY_URI);
+        assertTrue(armMigrator.isArmConfiguation());
+    }
+
+    private void addArmStatement(String role, String operation, String uri) {
+        String persmissionUri = ArmMigrator.getArmPermissionSubject(operation, role);
+        String objectUri = uri;
+        addUserAccountsStatement(persmissionUri, objectUri, propertyUri);
+    }
+
+    private void addUserAccountsStatement(String subjUri, String objUri, String pUri) {
+        Statement statement =
+                new StatementImpl(new ResourceImpl(subjUri), new PropertyImpl(pUri), new ResourceImpl(objUri));
+        userAccountsModel.add(statement);
+        configurationDataSet.replaceNamedModel(ModelNames.USER_ACCOUNTS, userAccountsModel);
+    }
+
+    @Test
+    public void getEntityMapTest() {
+        armMigrator = new ArmMigrator(new RDFServiceModel(contentModel), new RDFServiceModel(configurationDataSet),
+                userAccountsModel);
+        Map<AccessObjectType, Set<String>> map = armMigrator.getEntityMap();
+        assertFalse(map.isEmpty());
+        assertEquals(1, map.get(AccessObjectType.OBJECT_PROPERTY).size());
+        assertEquals(1, map.get(AccessObjectType.DATA_PROPERTY).size());
+        assertEquals(2, map.get(AccessObjectType.CLASS).size());
+        assertEquals(1, map.get(AccessObjectType.FAUX_DATA_PROPERTY).size());
+        assertEquals(1, map.get(AccessObjectType.FAUX_DATA_PROPERTY).size());
+    }
+
+    @Test
+    public void getStatementsToRemoveTest() {
+        armMigrator = new ArmMigrator(new RDFServiceModel(contentModel), new RDFServiceModel(configurationDataSet),
+                userAccountsModel);
+        StringBuilder removals = armMigrator.getStatementsToRemove();
+        assertTrue(StringUtils.isBlank(removals.toString()));
+        EntityPolicyController.updateEntityDataSet("test:entity", AccessObjectType.CLASS,
+                AccessOperation.DISPLAY, ROLE_LIST, ROLE_LIST);
+        removals = armMigrator.getStatementsToRemove();
+        assertEquals(5, getCount("\n", removals.toString()));
+    }
+
+    @Test
+    public void migrateConfigurationTest() {
+        addUserAccountsStatement(PolicyTest.CUSTOM, VitroVocabulary.PERMISSIONSET, VitroVocabulary.RDF_TYPE);
+        armMigrator = new ArmMigrator(new RDFServiceModel(contentModel), new RDFServiceModel(configurationDataSet),
+                userAccountsModel);
+
+        addArmStatement(ArmMigrator.ARM_ADMIN, ArmMigrator.DISPLAY, OBJECT_PROPERTY_URI);
+        addArmStatement(ArmMigrator.ARM_EDITOR, ArmMigrator.PUBLISH, OBJECT_PROPERTY_URI);
+        addArmStatement(ArmMigrator.ARM_CURATOR, ArmMigrator.UPDATE, OBJECT_PROPERTY_URI);
+        addArmStatement(ArmMigrator.ARM_SELF_EDITOR, ArmMigrator.DISPLAY, CLASS_URI);
+        addArmStatement(ArmMigrator.ARM_EDITOR, ArmMigrator.PUBLISH, CLASS_URI);
+
+        addArmStatement(ArmMigrator.ARM_ADMIN, ArmMigrator.DISPLAY, DATA_PROPERTY_URI);
+        addArmStatement(ArmMigrator.ARM_EDITOR, ArmMigrator.PUBLISH, DATA_PROPERTY_URI);
+        addArmStatement(ArmMigrator.ARM_CURATOR, ArmMigrator.UPDATE, DATA_PROPERTY_URI);
+        addArmStatement(ArmMigrator.ARM_SELF_EDITOR, ArmMigrator.DISPLAY, FAUX_DATA_PROPERTY_URI);
+        addArmStatement(ArmMigrator.ARM_EDITOR, ArmMigrator.PUBLISH, FAUX_DATA_PROPERTY_URI);
+        addArmStatement(ArmMigrator.ARM_ADMIN, ArmMigrator.UPDATE, FAUX_DATA_PROPERTY_URI);
+        addArmStatement(ArmMigrator.ARM_PUBLIC, ArmMigrator.DISPLAY, FAUX_OBJECT_PROPERTY_URI);
+        addArmStatement(ArmMigrator.ARM_EDITOR, ArmMigrator.PUBLISH, FAUX_OBJECT_PROPERTY_URI);
+        addArmStatement(ArmMigrator.ARM_CURATOR, ArmMigrator.UPDATE, FAUX_OBJECT_PROPERTY_URI);
+        addArmStatement(ArmMigrator.ARM_CUSTOM, ArmMigrator.DISPLAY, OBJECT_PROPERTY_URI);
+        addArmStatement(ArmMigrator.ARM_CUSTOM, ArmMigrator.UPDATE, FAUX_DATA_PROPERTY_URI);
+        addArmStatement(ArmMigrator.ARM_CUSTOM, ArmMigrator.DISPLAY, CLASS_URI);
+
+        // TODO Class UPDATE permissions migration.
+        // addArmStatement(ArmMigrator.ARM_EDITOR, ArmMigrator.UPDATE, CLASS_URI);
+        // addArmStatement(ArmMigrator.ARM_EDITOR, ArmMigrator.UPDATE, CLASS_URI);
+
+        Map<AccessObjectType, Set<String>> entityTypeMap = armMigrator.getEntityMap();
+        armMigrator.collectAdditions(entityTypeMap);
+        String stringResult = armMigrator.additions.toString();
+        assertFalse(stringResult.isEmpty());
+        assertEquals(59, getCount("\n", stringResult));
+        assertEquals(59, getCount(value, stringResult));
+        assertEquals(26, getCount(VitroVocabulary.LABEL, stringResult));
+        assertEquals(6, getCount(OBJECT_PROPERTY_URI, stringResult));
+        assertEquals(3, getCount(CLASS_URI, stringResult));
+        assertEquals(5, getCount(DATA_PROPERTY_URI, stringResult));
+        assertEquals(12, getCount(FAUX_DATA_PROPERTY_URI, stringResult));
+        assertEquals(7, getCount(FAUX_OBJECT_PROPERTY_URI, stringResult));
+    }
+
+    private static long getCount(String pattern, String lines) {
+        Matcher matcher = Pattern.compile(pattern).matcher(lines);
+        long i = 0;
+        while (matcher.find()) {
+            i++;
+        }
+        return i;
+    }
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigratorTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigratorTest.java
new file mode 100644
index 0000000000..fde4eba7ed
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigratorTest.java
@@ -0,0 +1,46 @@
+package edu.cornell.mannlib.vitro.webapp.migration.auth;
+
+import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSetRegistry;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyTest;
+import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames;
+import edu.cornell.mannlib.vitro.webapp.rdfservice.impl.jena.model.RDFServiceModel;
+import org.apache.jena.rdf.model.Model;
+import org.apache.jena.rdf.model.ModelFactory;
+import org.apache.log4j.Level;
+import org.apache.log4j.LogManager;
+import org.junit.After;
+import org.junit.Before;
+
+public class AuthMigratorTest extends PolicyTest {
+    protected static final String TEST_MIGRATION_RESOURCES_PREFIX =
+            "src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/migration/";
+    protected static final String CONTENT = TEST_MIGRATION_RESOURCES_PREFIX + "content.n3";
+    protected static final String CONFIGURATION = TEST_MIGRATION_RESOURCES_PREFIX + "configuration.n3";
+
+    protected Model contentModel;
+    protected Model configurationModel;
+    protected AuthMigrator migrator;
+
+    @Before
+    public void initAuthMigration() {
+        contentModel = ModelFactory.createDefaultModel();
+        configurationModel = ModelFactory.createDefaultModel();
+        migrator = new AuthMigrator();
+        configurationDataSet.addNamedModel(ModelNames.DISPLAY, configurationModel);
+        migrator.initialize(new RDFServiceModel(contentModel), new RDFServiceModel(configurationDataSet));
+        loadAllEntityPolicies();
+        load(configurationModel, CONFIGURATION);
+        configurationDataSet.replaceNamedModel(ModelNames.DISPLAY, configurationModel);
+        load(contentModel, CONTENT);
+        AttributeValueSetRegistry.getInstance().clear();
+        LogManager.getLogger(AnnotationMigrator.class).setLevel(Level.ERROR);
+        LogManager.getLogger(ArmMigrator.class).setLevel(Level.ERROR);
+    }
+
+    @After
+    public void finish() {
+        LogManager.getLogger(AnnotationMigrator.class).setLevel(Level.INFO);
+        LogManager.getLogger(ArmMigrator.class).setLevel(Level.INFO);
+    }
+
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/migration/auth/SimplePermissionMigratorTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/migration/auth/SimplePermissionMigratorTest.java
new file mode 100644
index 0000000000..ebf6066309
--- /dev/null
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/migration/auth/SimplePermissionMigratorTest.java
@@ -0,0 +1,120 @@
+package edu.cornell.mannlib.vitro.webapp.migration.auth;
+
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.NAMED_OBJECT;
+import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.EXECUTE;
+import static edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission.ACCESS_SPECIAL_DATA_MODELS;
+import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.PERMISSIONSET;
+import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.PERMISSIONSET_HAS_PERMISSION;
+import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.RDF_TYPE;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Set;
+
+import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyLoader;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyTemplateController;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyTest;
+import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames;
+import org.apache.jena.ontology.OntModel;
+import org.apache.jena.rdf.model.ModelFactory;
+import org.apache.jena.rdf.model.Statement;
+import org.apache.jena.rdf.model.impl.PropertyImpl;
+import org.apache.jena.rdf.model.impl.ResourceImpl;
+import org.apache.jena.rdf.model.impl.StatementImpl;
+import org.apache.log4j.Level;
+import org.apache.log4j.LogManager;
+import org.apache.log4j.Logger;
+import org.junit.Before;
+import org.junit.Test;
+
+public class SimplePermissionMigratorTest extends AuthMigratorTest {
+
+    private OntModel userAccountsModel;
+    private SimplePermissionMigrator spm;
+    private static final String TEMPLATE_PATH = "template_simple_permissions";
+    public static final String ADMIN_SIMPLE_PERMISSIONS_PATH = "simple_permissions_admin";
+    public static final String CURATOR_SIMPLE_PERMISSIONS_PATH = "simple_permissions_curator";
+    public static final String EDITOR_SIMPLE_PERMISSIONS_PATH = "simple_permissions_editor";
+    public static final String SELF_EDITOR_SIMPLE_PERMISSIONS_PATH = "simple_permissions_self_editor";
+    public static final String PUBLIC_SIMPLE_PERMISSIONS_PATH = "simple_permissions_public";
+
+    @Before
+    public void initMigration() {
+        userAccountsModel = ModelFactory.createOntologyModel();
+        configurationDataSet.addNamedModel(ModelNames.USER_ACCOUNTS, userAccountsModel);
+        spm = new SimplePermissionMigrator(userAccountsModel);
+        load(PolicyTest.USER_ACCOUNTS_HOME_FIRSTTIME + TEMPLATE_PATH + EXT);
+        Logger logger = LogManager.getLogger(SimplePermissionMigrator.class);
+        logger.setLevel(Level.ERROR);
+    }
+
+    private void addUserAccountsStatement(String subjUri, String pUri, String objUri) {
+        Statement statement =
+                new StatementImpl(new ResourceImpl(subjUri), new PropertyImpl(pUri), new ResourceImpl(objUri));
+        userAccountsModel.add(statement);
+    }
+
+    @Test
+    public void getPermissionSetsTest() {
+        addPermissionSet(PolicyTest.CUSTOM);
+        addPermissionSet(PolicyTest.ADMIN);
+        addPermissionSet(PolicyTest.CURATOR);
+        addPermissionSet(PolicyTest.EDITOR);
+        addPermissionSet(PolicyTest.SELF_EDITOR);
+        addPermissionSet(PolicyTest.PUBLIC);
+        Set<String> sets = spm.getPermissionSets();
+        assertEquals(6, sets.size());
+        assertTrue(sets.contains(PolicyTest.CUSTOM));
+        assertTrue(sets.contains(PolicyTest.ADMIN));
+        assertTrue(sets.contains(PolicyTest.CURATOR));
+        assertTrue(sets.contains(PolicyTest.EDITOR));
+        assertTrue(sets.contains(PolicyTest.SELF_EDITOR));
+        assertTrue(sets.contains(PolicyTest.PUBLIC));
+    }
+
+    @Test
+    public void getUserAccountPermissionsTest() {
+        addUserAccountsStatement(PolicyTest.CUSTOM, RDF_TYPE, PERMISSIONSET);
+        addPermissionSet(PolicyTest.ADMIN);
+        addUserAccountsStatement(PolicyTest.CUSTOM, PERMISSIONSET_HAS_PERMISSION, ACCESS_SPECIAL_DATA_MODELS.getUri());
+        addUserAccountsStatement(PolicyTest.CUSTOM, PERMISSIONSET_HAS_PERMISSION,
+                SimplePermission.DO_BACK_END_EDITING.getUri());
+        Set<String> permissions = spm.getUserAccountPermissions(PolicyTest.CUSTOM);
+        assertEquals(2, permissions.size());
+        assertTrue(permissions.contains(ACCESS_SPECIAL_DATA_MODELS.getUri()));
+        assertTrue(permissions.contains(SimplePermission.DO_BACK_END_EDITING.getUri()));
+        permissions = spm.getUserAccountPermissions(PolicyTest.ADMIN);
+        assertEquals(0, permissions.size());
+    }
+
+    @Test
+    public void migrateConfigurationTest() {
+        addPermissionSet(PolicyTest.ADMIN);
+        addPermissionSet(PolicyTest.CURATOR);
+        addPermissionSet(PolicyTest.EDITOR);
+        addPermissionSet(PolicyTest.SELF_EDITOR);
+        addPermissionSet(PolicyTest.PUBLIC);
+        addPermissionSet(PolicyTest.CUSTOM);
+        addUserAccountsStatement(PolicyTest.CUSTOM, PERMISSIONSET_HAS_PERMISSION, ACCESS_SPECIAL_DATA_MODELS.getUri());
+        addUserAccountsStatement(PolicyTest.PUBLIC, PERMISSIONSET_HAS_PERMISSION, ACCESS_SPECIAL_DATA_MODELS.getUri());
+        load(USER_ACCOUNTS_HOME_FIRSTTIME + PUBLIC_SIMPLE_PERMISSIONS_PATH + EXT);
+        PolicyTemplateController.createRoleDataSets(CUSTOM);
+        spm.migrateConfiguration();
+        PolicyLoader policyLoader = PolicyLoader.getInstance();
+        Set<String> entities = policyLoader.getDataSetValues(EXECUTE, NAMED_OBJECT, PolicyTest.CUSTOM);
+        assertEquals(1, entities.size());
+        assertTrue(entities.contains(ACCESS_SPECIAL_DATA_MODELS.getUri()));
+        entities = policyLoader.getDataSetValues(EXECUTE, NAMED_OBJECT, PolicyTest.PUBLIC);
+        assertEquals(1, entities.size());
+        assertTrue(entities.contains(ACCESS_SPECIAL_DATA_MODELS.getUri()));
+        entities = policyLoader.getDataSetValues(EXECUTE, NAMED_OBJECT, PolicyTest.ADMIN);
+        assertEquals(1, entities.size());
+        assertTrue(entities.contains(ACCESS_SPECIAL_DATA_MODELS.getUri()));
+    }
+
+    private void addPermissionSet(String role) {
+        addUserAccountsStatement(role, RDF_TYPE, PERMISSIONSET);
+    }
+
+}
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/tboxreasoner/impl/jfact/JFactTBoxReasonerTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/tboxreasoner/impl/jfact/JFactTBoxReasonerTest.java
index 4ee666b8b0..d718119836 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/tboxreasoner/impl/jfact/JFactTBoxReasonerTest.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/tboxreasoner/impl/jfact/JFactTBoxReasonerTest.java
@@ -7,11 +7,17 @@
 import org.apache.jena.rdf.model.Model;
 import org.apache.jena.rdf.model.ModelFactory;
 import org.apache.jena.rdf.model.RDFNode;
+import org.apache.log4j.Level;
+import org.apache.log4j.LogManager;
+import org.junit.After;
 import org.junit.Assert;
+import org.junit.Before;
 import org.junit.Test;
-
+import org.semanticweb.owlapi.util.SAXParsers;
 import edu.cornell.mannlib.vitro.webapp.dao.jena.JenaModelUtils;
 import edu.cornell.mannlib.vitro.webapp.dao.jena.event.EditEvent;
+import edu.cornell.mannlib.vitro.webapp.migration.auth.AnnotationMigrator;
+import edu.cornell.mannlib.vitro.webapp.migration.auth.ArmMigrator;
 import edu.cornell.mannlib.vitro.webapp.tboxreasoner.ReasonerConfiguration;
 import edu.cornell.mannlib.vitro.webapp.tboxreasoner.impl.BasicTBoxReasonerDriver;
 
@@ -48,7 +54,18 @@ public class JFactTBoxReasonerTest {
 	 * Test that axioms containing blank nodes can be removed from the reasoner
 	 *  even if the internal blank node IDs are different from when first added.
 	 */
-	@Test
+
+    @Before
+    public void init() {
+        LogManager.getLogger(SAXParsers.class).setLevel(Level.ERROR);
+    }
+
+    @After
+    public void finish() {
+        LogManager.getLogger(SAXParsers.class).setLevel(Level.INFO);
+    }
+
+    @Test
 	public void testRemoveAxiomsWithBlankNodes() {
 		OntModel tboxAssertions = ModelFactory.createOntologyModel(OntModelSpec.OWL_MEM);
 		OntModel tboxInferences = ModelFactory.createOntologyModel(OntModelSpec.OWL_MEM);
@@ -84,6 +101,7 @@ public void testRemoveAxiomsWithBlankNodes() {
 				"http://vivo.mydomain.edu/individual/class_b"), null, (RDFNode) null));
 		Assert.assertFalse(tboxUnion.contains(tboxUnion.getResource(
 				"http://vivo.mydomain.edu/individual/class_c"), null, (RDFNode) null));
+		
 	}
 	
 	private void waitForTBoxReasoning(BasicTBoxReasonerDriver driver) {
diff --git a/api/src/test/java/stubs/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionBeanStub.java b/api/src/test/java/stubs/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionBeanStub.java
deleted file mode 100644
index fdb660b11e..0000000000
--- a/api/src/test/java/stubs/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionBeanStub.java
+++ /dev/null
@@ -1,122 +0,0 @@
-/* $This file is distributed under the terms of the license in LICENSE$ */
-
-package stubs.edu.cornell.mannlib.vitro.webapp.auth.policy.bean;
-
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.Set;
-
-import org.apache.jena.rdf.model.impl.Util;
-
-import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionBean;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionLevels;
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
-import edu.cornell.mannlib.vitro.webapp.beans.Property;
-
-/**
- * Allow the unit test to specify a variety of restrictions
- */
-public class PropertyRestrictionBeanStub extends PropertyRestrictionBean {
-
-	// ----------------------------------------------------------------------
-	// Stub infrastructure
-	// ----------------------------------------------------------------------
-
-	/** Don't prohibit or restrict anything. */
-	public static PropertyRestrictionBean getInstance() {
-		return getInstance(null, null);
-	}
-
-	/** Prohibit some namespaces. */
-	public static PropertyRestrictionBeanStub getInstance(
-			String[] restrictedNamespaces) {
-		return getInstance(restrictedNamespaces, null);
-	}
-
-	/**
-	 * Prohibit some namespaces and restrict some properties from modification
-	 * by anybody. They may still be displayed or published.
-	 *
-	 * We can implement more granular control if we need it.
-	 */
-	public static PropertyRestrictionBeanStub getInstance(
-			String[] restrictedNamespaces, String[] restrictedProperties) {
-		PropertyRestrictionBeanStub stub = new PropertyRestrictionBeanStub(
-				restrictedNamespaces, restrictedProperties);
-		PropertyRestrictionBean.instance = stub;
-		return stub;
-	}
-
-	private final Set<String> restrictedNamespaces;
-	private final Set<String> restrictedProperties;
-
-	private PropertyRestrictionBeanStub(String[] restrictedNamespaces,
-			String[] restrictedProperties) {
-		this.restrictedNamespaces = (restrictedNamespaces == null) ? Collections
-				.<String> emptySet() : new HashSet<>(
-				Arrays.asList(restrictedNamespaces));
-		this.restrictedProperties = (restrictedProperties == null) ? Collections
-				.<String> emptySet() : new HashSet<>(
-				Arrays.asList(restrictedProperties));
-	}
-
-	private boolean isPermittedNamespace(String uri) {
-		return !restrictedNamespaces.contains(namespace(uri));
-	}
-
-	private String namespace(String uri) {
-		return uri.substring(0, Util.splitNamespaceXML(uri));
-	}
-
-	private boolean isPermittedProperty(String uri) {
-		return !restrictedProperties.contains(uri);
-	}
-
-	// ----------------------------------------------------------------------
-	// Stub methods
-	// ----------------------------------------------------------------------
-
-	@Override
-	public boolean canDisplayResource(String resourceUri, RoleLevel userRole) {
-		return isPermittedNamespace(resourceUri);
-	}
-
-	@Override
-	public boolean canModifyResource(String resourceUri, RoleLevel userRole) {
-		return isPermittedNamespace(resourceUri)
-				&& isPermittedProperty(resourceUri);
-	}
-
-	@Override
-	public boolean canPublishResource(String resourceUri, RoleLevel userRole) {
-		return isPermittedNamespace(resourceUri);
-	}
-
-	@Override
-	public boolean canDisplayPredicate(Property predicate, RoleLevel userRole) {
-		return isPermittedNamespace(predicate.getURI());
-	}
-
-	@Override
-	public boolean canModifyPredicate(Property predicate, RoleLevel userRole) {
-		return isPermittedNamespace(predicate.getURI())
-				&& isPermittedProperty(predicate.getURI());
-	}
-
-	@Override
-	public boolean canPublishPredicate(Property predicate, RoleLevel userRole) {
-		return isPermittedNamespace(predicate.getURI());
-	}
-
-	// ----------------------------------------------------------------------
-	// Un-implemented methods
-	// ----------------------------------------------------------------------
-
-	@Override
-	public void updateProperty(PropertyRestrictionLevels levels) {
-		throw new RuntimeException(
-				"PropertyRestrictionBeanStub.updateProperty() not implemented.");
-	}
-
-}
diff --git a/api/src/test/java/stubs/edu/cornell/mannlib/vitro/webapp/beans/IndividualStub.java b/api/src/test/java/stubs/edu/cornell/mannlib/vitro/webapp/beans/IndividualStub.java
index 53b0dddc98..adbb3c67e0 100644
--- a/api/src/test/java/stubs/edu/cornell/mannlib/vitro/webapp/beans/IndividualStub.java
+++ b/api/src/test/java/stubs/edu/cornell/mannlib/vitro/webapp/beans/IndividualStub.java
@@ -13,7 +13,6 @@
 import org.apache.jena.rdf.model.Resource;
 import org.apache.jena.rdf.model.ResourceFactory;
 
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
 import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatementImpl;
@@ -232,60 +231,6 @@ public void setLocalName(String localName) {
 				"IndividualStub.setLocalName() not implemented.");
 	}
 
-	@Override
-	public RoleLevel getHiddenFromDisplayBelowRoleLevel() {
-		throw new RuntimeException(
-				"IndividualStub.getHiddenFromDisplayBelowRoleLevel() not implemented.");
-	}
-
-	@Override
-	public void setHiddenFromDisplayBelowRoleLevel(RoleLevel eR) {
-		throw new RuntimeException(
-				"IndividualStub.setHiddenFromDisplayBelowRoleLevel() not implemented.");
-	}
-
-	@Override
-	public void setHiddenFromDisplayBelowRoleLevelUsingRoleUri(String roleUri) {
-		throw new RuntimeException(
-				"IndividualStub.setHiddenFromDisplayBelowRoleLevelUsingRoleUri() not implemented.");
-	}
-
-	@Override
-	public RoleLevel getProhibitedFromUpdateBelowRoleLevel() {
-		throw new RuntimeException(
-				"IndividualStub.getProhibitedFromUpdateBelowRoleLevel() not implemented.");
-	}
-
-	@Override
-	public void setProhibitedFromUpdateBelowRoleLevel(RoleLevel eR) {
-		throw new RuntimeException(
-				"IndividualStub.setProhibitedFromUpdateBelowRoleLevel() not implemented.");
-	}
-
-	@Override
-	public void setProhibitedFromUpdateBelowRoleLevelUsingRoleUri(String roleUri) {
-		throw new RuntimeException(
-				"IndividualStub.setProhibitedFromUpdateBelowRoleLevelUsingRoleUri() not implemented.");
-	}
-
-	@Override
-	public RoleLevel getHiddenFromPublishBelowRoleLevel() {
-		throw new RuntimeException(
-				"IndividualStub.getHiddenFromPublishBelowRoleLevel() not implemented.");
-	}
-
-	@Override
-	public void setHiddenFromPublishBelowRoleLevel(RoleLevel eR) {
-		throw new RuntimeException(
-				"IndividualStub.setHiddenFromPublishBelowRoleLevel() not implemented.");
-	}
-
-	@Override
-	public void setHiddenFromPublishBelowRoleLevelUsingRoleUri(String roleUri) {
-		throw new RuntimeException(
-				"IndividualStub.setHiddenFromPublishBelowRoleLevelUsingRoleUri() not implemented.");
-	}
-
 	@Override
 	public int compareTo(Individual o) {
 		throw new RuntimeException(
diff --git a/api/src/test/java/stubs/edu/cornell/mannlib/vitro/webapp/config/ConfigurationPropertiesStub.java b/api/src/test/java/stubs/edu/cornell/mannlib/vitro/webapp/config/ConfigurationPropertiesStub.java
index 23a35bfbb4..90d371f240 100644
--- a/api/src/test/java/stubs/edu/cornell/mannlib/vitro/webapp/config/ConfigurationPropertiesStub.java
+++ b/api/src/test/java/stubs/edu/cornell/mannlib/vitro/webapp/config/ConfigurationPropertiesStub.java
@@ -28,7 +28,7 @@ public void setProperty(String key, String value) {
 	}
 
 	public void setBean(ServletContext ctx) {
-		setBean(ctx, this);
+		setBean(this);
 	}
 
 	@Override
diff --git a/api/src/test/java/stubs/edu/cornell/mannlib/vitro/webapp/modelaccess/ModelAccessFactoryStub.java b/api/src/test/java/stubs/edu/cornell/mannlib/vitro/webapp/modelaccess/ModelAccessFactoryStub.java
index 492e85e919..21a54c0e37 100644
--- a/api/src/test/java/stubs/edu/cornell/mannlib/vitro/webapp/modelaccess/ModelAccessFactoryStub.java
+++ b/api/src/test/java/stubs/edu/cornell/mannlib/vitro/webapp/modelaccess/ModelAccessFactoryStub.java
@@ -35,10 +35,12 @@ public ModelAccessFactoryStub() {
 
 		contextMA = new ContextModelAccessStub();
 		requestMA = new RequestModelAccessStub();
+		ModelAccess.setInstance(contextMA);
 	}
 
 	@Override
 	public ContextModelAccess buildContextModelAccess(ServletContext ctx) {
+	    ModelAccess.setInstance(contextMA);
 		return contextMA;
 	}
 
diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/migration/configuration.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/migration/configuration.n3
new file mode 100644
index 0000000000..3eedbc571c
--- /dev/null
+++ b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/migration/configuration.n3
@@ -0,0 +1,36 @@
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+@prefix owl: <http://www.w3.org/2002/07/owl#> .
+@prefix : <http://vitro.mannlib.cornell.edu/ns/vitro/ApplicationConfiguration#> .
+@prefix display: <http://vitro.mannlib.cornell.edu/ontologies/display/1.1#> .
+@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
+@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
+@prefix datagetter: <java:edu/cornell/mannlib/vitro/webapp/utils/datagetter/> .
+@prefix vitro: <http://vitro.mannlib.cornell.edu/ns/vitro/0.7#> .
+@prefix role:  <http://vitro.mannlib.cornell.edu/ns/vitro/role#> .
+@prefix local: <http://vitro.mannlib.cornell.edu/ns/vitro/siteConfig/> .
+@prefix vivo: <http://vivoweb.org/ontology/core#> .
+@prefix obo: <http://purl.obolibrary.org/obo/> .
+
+@base <http://vitro.mannlib.cornell.edu/ns/vitro/ApplicationConfiguration> .
+
+local:orgAdministersGrantContext a :ConfigContext ;
+        :hasConfiguration local:orgAdministersGrantConfig ;
+        :configContextFor <http://purl.obolibrary.org/obo/RO_0000053> ;
+        .
+
+local:orgAdministersGrantConfig a :ObjectPropertyDisplayConfig ;
+        vitro:hiddenFromDisplayBelowRoleLevelAnnot role:public ;
+        vitro:hiddenFromPublishBelowRoleLevelAnnot role:dbAdmin ;
+        vitro:prohibitedFromUpdateBelowRoleLevelAnnot role:selfEditor ;
+        .
+
+<http://vitro.mannlib.cornell.edu/ns/vitro/siteConfig/fp985> a :ConfigContext ;
+        :hasConfiguration <http://vitro.mannlib.cornell.edu/ns/vitro/siteConfig/fp396> ;
+        :configContextFor vivo:abbreviation ;
+        .
+
+<http://vitro.mannlib.cornell.edu/ns/vitro/siteConfig/fp396> a :ObjectPropertyDisplayConfig ;
+        vitro:hiddenFromDisplayBelowRoleLevelAnnot role:editor ;
+        vitro:hiddenFromPublishBelowRoleLevelAnnot role:curator ;
+        vitro:prohibitedFromUpdateBelowRoleLevelAnnot role:nobody ;
+        .
diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/migration/content.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/migration/content.n3
new file mode 100644
index 0000000000..5a70854a50
--- /dev/null
+++ b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/migration/content.n3
@@ -0,0 +1,47 @@
+@prefix ocrer: <http://purl.org/net/OCRe/research.owl#> .
+@prefix owl:   <http://www.w3.org/2002/07/owl#> .
+@prefix scires: <http://vivoweb.org/ontology/scientific-research#> .
+@prefix xsd:   <http://www.w3.org/2001/XMLSchema#> .
+@prefix skos:  <http://www.w3.org/2004/02/skos/core#> .
+@prefix rdfs:  <http://www.w3.org/2000/01/rdf-schema#> .
+@prefix ocresd: <http://purl.org/net/OCRe/study_design.owl#> .
+@prefix swo:   <http://www.ebi.ac.uk/efo/swo/> .
+@prefix cito:  <http://purl.org/spar/cito/> .
+@prefix geo:   <http://aims.fao.org/aos/geopolitical.owl#> .
+@prefix ocresst: <http://purl.org/net/OCRe/statistics.owl#> .
+@prefix dcterms: <http://purl.org/dc/terms/> .
+@prefix vivo:  <http://vivoweb.org/ontology/core#> .
+@prefix event: <http://purl.org/NET/c4dm/event.owl#> .
+@prefix vann:  <http://purl.org/vocab/vann/> .
+@prefix foaf:  <http://xmlns.com/foaf/0.1/> .
+@prefix c4o:   <http://purl.org/spar/c4o/> .
+@prefix fabio: <http://purl.org/spar/fabio/> .
+@prefix vcard: <http://www.w3.org/2006/vcard/ns#> .
+@prefix vitro: <http://vitro.mannlib.cornell.edu/ns/vitro/0.7#> .
+@prefix vitro-public: <http://vitro.mannlib.cornell.edu/ns/vitro/public#> .
+@prefix rdf:   <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
+@prefix ocresp: <http://purl.org/net/OCRe/study_protocol.owl#> .
+@prefix bibo:  <http://purl.org/ontology/bibo/> .
+@prefix obo:   <http://purl.obolibrary.org/obo/> .
+@prefix ro:    <http://purl.obolibrary.org/obo/ro.owl#> .
+@prefix role:  <http://vitro.mannlib.cornell.edu/ns/vitro/role#> .
+
+obo:RO_0000053  a owl:ObjectProperty ;
+        vitro:hiddenFromDisplayBelowRoleLevelAnnot role:public ;
+        vitro:vitro:hiddenFromPublishBelowRoleLevelAnnot role:selfEditor ;
+        vitro:prohibitedFromUpdateBelowRoleLevelAnnot role:public .
+
+vivo:abbreviation  a owl:DatatypeProperty ;
+        vitro:hiddenFromDisplayBelowRoleLevelAnnot role:curator ;
+        vitro:vitro:hiddenFromPublishBelowRoleLevelAnnot role:dbAdmin;
+        vitro:prohibitedFromUpdateBelowRoleLevelAnnot role:editor .
+                
+foaf:Organization  a owl:Class ;
+        vitro:hiddenFromDisplayBelowRoleLevelAnnot role:nobody ;
+        vitro:vitro:hiddenFromPublishBelowRoleLevelAnnot role:editor;
+        vitro:prohibitedFromUpdateBelowRoleLevelAnnot role:nobody .
+                
+foaf:Person a owl:Class ;
+        vitro:hiddenFromDisplayBelowRoleLevelAnnot role:editor ;
+        vitro:vitro:hiddenFromPublishBelowRoleLevelAnnot role:nobody ;
+        vitro:prohibitedFromUpdateBelowRoleLevelAnnot role:editor .
diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/data_set_templates.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/data_set_templates.n3
new file mode 100644
index 0000000000..453d324ce2
--- /dev/null
+++ b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/data_set_templates.n3
@@ -0,0 +1,79 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
+@prefix owl: <http://www.w3.org/2002/07/owl#> .
+@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix simplePermission: <java:edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission#> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/template/test-data-set-templates/> .
+
+:PolicyTemplate a access:PolicyTemplate ;
+    access:hasDataSetTemplate :RoleDataSetTemplate1 ;
+    access:hasDataSetTemplate :RoleDataSetTemplate2 ;
+    access:hasDataSet :PublicDataSet .
+
+#Role data set templates
+
+
+:RoleDataSetTemplate1 a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleDataSetTemplateKey1 ;
+    access:hasDataSetKeyTemplate :RoleDataSetKeyTemplate1 ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:dataSetValueTemplate :RoleValueSetTemplate1 ;
+    access:dataSetValueTemplate :RolePermissionValueSetTemplate1 .  
+
+:RoleDataSetTemplateKey1 a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleDataSetKeyTemplate1 a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:NamedObject ;
+    access:hasKeyComponent access-individual:ExecuteOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleValueSetTemplate1 a access:ValueSetTemplate ;
+    access:relatedCheck :RoleValueSet;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RolePermissionValueSetTemplate1 a access:ValueSetTemplate ;
+    access:relatedCheck :TypeValueSet;
+    access:defaultValue simplePermission:PageViewablePublic;
+    access:defaultValue simplePermission:QueryFullModel ;
+    access:containsElementsOfType access-individual:NamedObject .
+
+
+:RoleDataSetTemplate2 a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleDataSetTemplateKey2 ;
+    access:hasDataSetKeyTemplate :RoleDataSetKeyTemplate2 ;
+    access:dataSetValueTemplate :RoleValueSetTemplate2 ;
+    access:dataSetValueTemplate :RolePermissionValueSetTemplate2 .  
+
+:RoleDataSetTemplateKey2 a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleDataSetKeyTemplate2 a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:ObjectPropertyAccesObject ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleValueSetTemplate2 a access:ValueSetTemplate ;
+    access:relatedCheck :RoleValueSet;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RolePermissionValueSetTemplate2 a access:ValueSetTemplate ;
+    access:relatedCheck :TypeValueSet;
+    access:containsElementsOfType access-individual:NamedObject .
+
+:PublicDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet access-individual:PublicSimplePermissionValueSet .
+
+:PublicDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:NamedObject ;
+    access:hasKeyComponent access-individual:ExecuteOperation ;
+    access:hasKeyComponent access-individual:PublicRoleUri .
+
+access-individual:PublicSimplePermissionValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:NamedObject .
diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/proximity_test_data.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/proximity_test_data.n3
new file mode 100644
index 0000000000..2274ec094f
--- /dev/null
+++ b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/proximity_test_data.n3
@@ -0,0 +1,4 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+<test:alice> <test:has_publication> <test:publication> .
+
diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/proximity_test_policy.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/proximity_test_policy.n3
new file mode 100644
index 0000000000..9f3d1253fc
--- /dev/null
+++ b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/proximity_test_policy.n3
@@ -0,0 +1,27 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
+@prefix owl: <http://www.w3.org/2002/07/owl#> .
+@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+access-individual:ProximityTestPolicy rdf:type access:Policy ;
+    access:hasRule access-individual:AllowPersonEditOwnPublication .
+          
+access-individual:AllowPersonEditOwnPublication rdf:type access:Rule ;
+    access:requiresCheck access-individual:PublicationInProximityAttribute .
+          
+access-individual:PublicationInProximityAttribute rdf:type access:Check ;
+    access:useOperator access-individual:SparqlSelectQueryContains ;
+    access:hasTypeToCheck access-individual:StatementSubjectUri ;
+    access:value access-individual:PublicationProximityToPerson .
+
+access-individual:PublicationProximityToPerson rdf:type access:ValueSet ;
+    access:id """
+    SELECT ?resourceUri WHERE {
+              ?personUri <test:has_publication> ?resourceUri .
+    }
+    """ .
diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_broken1.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_broken1.n3
new file mode 100644
index 0000000000..db080e23cc
--- /dev/null
+++ b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_broken1.n3
@@ -0,0 +1,26 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
+@prefix owl: <http://www.w3.org/2002/07/owl#> .
+@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+access-individual:BrokenPolicyBrokenTestType rdf:type access:Policy ;
+    access:hasRule access-individual:BrokenTestRule .
+  
+access-individual:BrokenTestRule rdf:type access:Rule ;
+    access:requiresCheck access-individual:ValidTestAttribute ;
+    access:requiresCheck access-individual:BrokenTestAttribute .
+  
+access-individual:BrokenTestAttribute rdf:type access:Check ;
+    access:hasTypeToCheck access-individual:Operation ;
+    access:value access-individual:PublishOperation .
+ 
+access-individual:ValidTestAttribute rdf:type access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:Operation ;
+    access:value access-individual:PublishOperation .
+
diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_broken2.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_broken2.n3
new file mode 100644
index 0000000000..8589657f09
--- /dev/null
+++ b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_broken2.n3
@@ -0,0 +1,26 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
+@prefix owl: <http://www.w3.org/2002/07/owl#> .
+@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+access-individual:BrokenPolicyType rdf:type access:Policy ;
+    access:hasRule access-individual:BrokenTestRule .
+  
+access-individual:BrokenTestRule rdf:type access:Rule ;
+    access:requiresCheck access-individual:ValidTestAttribute ;
+    access:requiresCheck access-individual:BrokenTestAttribute .
+  
+access-individual:BrokenTestAttribute rdf:type access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:value access-individual:PublishOperation .
+ 
+access-individual:ValidTestAttribute rdf:type access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:Operation ;
+    access:value access-individual:PublishOperation .
+
diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_broken3.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_broken3.n3
new file mode 100644
index 0000000000..129dab4e02
--- /dev/null
+++ b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_broken3.n3
@@ -0,0 +1,27 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
+@prefix owl: <http://www.w3.org/2002/07/owl#> .
+@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+access-individual:BrokenPolicyBrokenTestTypeId rdf:type access:Policy ;
+    access:hasRule access-individual:BrokenTestRule .
+  
+access-individual:BrokenTestRule rdf:type access:Rule ;
+    access:requiresCheck access-individual:ValidTestAttribute ;
+    access:requiresCheck access-individual:BrokenTestAttribute .
+  
+access-individual:BrokenTestAttribute rdf:type access:Check ;
+    access:useOperator access-individual:UnknownTest ;
+    access:hasTypeToCheck access-individual:Operation ;
+    access:value access-individual:PublishOperation .
+ 
+access-individual:ValidTestAttribute rdf:type access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:Operation ;
+    access:value access-individual:PublishOperation .
+
diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_broken4.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_broken4.n3
new file mode 100644
index 0000000000..c59a0817db
--- /dev/null
+++ b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_broken4.n3
@@ -0,0 +1,27 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
+@prefix owl: <http://www.w3.org/2002/07/owl#> .
+@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+access-individual:BrokenPolicyTypeId rdf:type access:Policy ;
+    access:hasRule access-individual:BrokenTestRule .
+
+access-individual:BrokenTestRule rdf:type access:Rule ;
+    access:requiresCheck access-individual:ValidTestAttribute ;
+    access:requiresCheck access-individual:BrokenTestAttribute .
+
+access-individual:BrokenTestAttribute rdf:type access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:UnknownType ;
+    access:value access-individual:PublishOperation .
+
+access-individual:ValidTestAttribute rdf:type access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:Operation ;
+    access:value access-individual:PublishOperation .
+
diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_broken5.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_broken5.n3
new file mode 100644
index 0000000000..22ecf66146
--- /dev/null
+++ b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_broken5.n3
@@ -0,0 +1,36 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
+@prefix owl: <http://www.w3.org/2002/07/owl#> .
+@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+access-individual:BrokenTestSetPolicy rdf:type access:Policy ;
+    access:hasDataSet access-individual:testDataSet1 ;
+    access:hasRule access-individual:BrokenRule .
+
+access-individual:BrokenRule rdf:type access:Rule ;
+    access:requiresCheck access-individual:BrokenAttribute1 ;
+    access:requiresCheck access-individual:BrokenAttribute2 .
+
+access-individual:BrokenAttribute1 rdf:type access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:ObjectUri ;
+    access:setValue access-individual:valueSet1 .
+
+access-individual:BrokenAttribute2 rdf:type access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:ObjectUri ;
+    access:setValue access-individual:valueSet2 .
+
+access-individual:testDataSet1 rdf:type access:DataSet ;
+    access:hasRelatedValueSet access-individual:valueSet1 .
+
+access-individual:valueSet1 rdf:type access:ValueSet ;
+    access:value <test:value1> ;
+    access:value <test:value2> ;
+    .    
+
diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_broken_set.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_broken_set.n3
new file mode 100644
index 0000000000..7ef2cbcd69
--- /dev/null
+++ b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_broken_set.n3
@@ -0,0 +1,47 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
+@prefix owl: <http://www.w3.org/2002/07/owl#> .
+@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+access-individual:BrokenTestSetPolicy rdf:type access:Policy ;
+    access:hasDataSet access-individual:testDataSet1 ;
+    access:hasDataSet access-individual:testDataSet2 ;
+    access:hasRule access-individual:BrokenRule .
+    
+access-individual:BrokenRule rdf:type access:Rule ;
+    access:requiresCheck access-individual:BrokenSetAttribute1 ;
+    access:requiresCheck access-individual:BrokenSetAttribute2 .
+    
+access-individual:BrokenSetAttribute1 rdf:type access:Check ;
+    access:useOperator access-individual:NotOneOf ;
+    access:hasTypeToCheck access-individual:ObjectUri ;
+    access:values access-individual:valueSet1 ;
+    .
+    
+access-individual:BrokenSetAttribute2 rdf:type access:Check ;
+    access:useOperator access-individual:NotOneOf ;
+    access:hasTypeToCheck access-individual:ObjectUri ;
+    access:values access-individual:valueSet2 ;
+    .
+
+access-individual:testDataSet1 rdf:type access:DataSet ;
+    access:hasRelatedValueSet access-individual:valueSet1 .
+
+access-individual:testDataSet2 rdf:type access:DataSet ;
+    access:hasRelatedValueSet access-individual:valueSet2 .
+
+access-individual:valueSet1 rdf:type access:ValueSet ;
+    access:value <test:value1> ;
+    access:value <test:value2> ;
+    .
+    
+access-individual:valueSet2 rdf:type access:ValueSet ;
+    access:value <test:value3> ;
+    access:value <test:value4> ;
+    .
+
diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_key.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_key.n3
new file mode 100644
index 0000000000..5be315317a
--- /dev/null
+++ b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_key.n3
@@ -0,0 +1,26 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
+@prefix owl: <http://www.w3.org/2002/07/owl#> .
+@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+access-individual:KeyTestPolicy rdf:type access:Policy ;
+    access:policyKey access-individual:PolicyKeyTest ;
+    access:hasRule access-individual:KeyTestRule .
+    
+access-individual:KeyTestRule rdf:type access:Rule ;
+    access:requiresCheck access-individual:KeyTestAttribute .
+    
+access-individual:KeyTestAttribute rdf:type access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:Operation ;
+    access:value access-individual:PublishOperation .
+
+access-individual:PolicyKeyTest rdf:type access:PolicyKey ;
+    access:hasKeyComponent access-individual:ObjectPropertyAccesObject ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_valid.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_valid.n3
new file mode 100644
index 0000000000..b345e24e0a
--- /dev/null
+++ b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_valid.n3
@@ -0,0 +1,21 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
+@prefix owl: <http://www.w3.org/2002/07/owl#> .
+@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+access-individual:ValidTestPolicy rdf:type access:Policy ;
+    access:hasRule access-individual:ValidRule .
+    
+access-individual:ValidRule rdf:type access:Rule ;
+    access:requiresCheck access-individual:ValidAttribute .
+    
+access-individual:ValidAttribute rdf:type access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:Operation ;
+    access:value access-individual:PublishOperation .
+
diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_valid_set.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_valid_set.n3
new file mode 100644
index 0000000000..49ca545a6e
--- /dev/null
+++ b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/test_policy_valid_set.n3
@@ -0,0 +1,56 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
+@prefix owl: <http://www.w3.org/2002/07/owl#> .
+@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+access-individual:ValidTestSetPolicy rdf:type access:PolicyTemplate ;
+    access:hasDataSet access-individual:testDataSet2 ;
+    access:hasDataSet access-individual:testDataSet1 ;
+    access:hasRule access-individual:ValidRule .
+    
+access-individual:ValidRule rdf:type access:Rule ;
+    access:requiresCheck access-individual:ValidAttribute1 ;
+    access:requiresCheck access-individual:ValidAttribute2 .
+    
+access-individual:ValidAttribute1 rdf:type access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:AccessObjectUri ;
+    access:values access-individual:valueSet1 ;
+    access:values access-individual:valueSet3 ;
+    .
+    
+access-individual:ValidAttribute2 rdf:type access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:AccessObjectUri ;
+    access:values access-individual:valueSet4 ;
+    access:values access-individual:valueSet2 ;
+    .
+
+access-individual:testDataSet1 rdf:type access:DataSet ;
+    access:hasRelatedValueSet access-individual:valueSet2 ;
+    access:hasRelatedValueSet access-individual:valueSet1 .
+    
+access-individual:testDataSet2 rdf:type access:DataSet ;
+    access:hasRelatedValueSet access-individual:valueSet3 ;
+    access:hasRelatedValueSet access-individual:valueSet4 .
+
+access-individual:valueSet1 rdf:type access:ValueSet ;
+    access:value <test:value1> ;
+    .
+    
+access-individual:valueSet2 rdf:type access:ValueSet ;
+    access:value <test:value2> ;
+    .
+    
+access-individual:valueSet3 rdf:type access:ValueSet ;
+    access:value <test:value3> ;
+    .
+    
+access-individual:valueSet4 rdf:type access:ValueSet ;
+    access:value <test:value4> ;
+    .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_admin_add_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_admin_add_data_property.n3
new file mode 100644
index 0000000000..66da854fbc
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_admin_add_data_property.n3
@@ -0,0 +1,9 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/access-allowed-property/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+:AdminAddDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
+
+
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_admin_display_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_admin_display_data_property.n3
new file mode 100644
index 0000000000..63d353625c
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_admin_display_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/access-allowed-property/> .
+
+:AdminDisplayDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_admin_drop_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_admin_drop_data_property.n3
new file mode 100644
index 0000000000..f73378dc24
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_admin_drop_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/access-allowed-property/> .
+
+:AdminDropDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_admin_edit_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_admin_edit_data_property.n3
new file mode 100644
index 0000000000..a242fbd7d9
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_admin_edit_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/access-allowed-property/> .
+
+:AdminEditDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_admin_publish_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_admin_publish_data_property.n3
new file mode 100644
index 0000000000..acc528b61e
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_admin_publish_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/access-allowed-property/> .
+
+:AdminPublishDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_curator_add_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_curator_add_data_property.n3
new file mode 100644
index 0000000000..fccb4f474d
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_curator_add_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/access-allowed-property/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+:CuratorAddDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_curator_display_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_curator_display_data_property.n3
new file mode 100644
index 0000000000..b2cc317b00
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_curator_display_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/access-allowed-property/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+    
+:CuratorDisplayDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_curator_drop_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_curator_drop_data_property.n3
new file mode 100644
index 0000000000..d1ab3d7a67
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_curator_drop_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/access-allowed-property/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+:CuratorDropDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_curator_edit_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_curator_edit_data_property.n3
new file mode 100644
index 0000000000..053443fcdc
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_curator_edit_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/access-allowed-property/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+:CuratorEditDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_curator_publish_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_curator_publish_data_property.n3
new file mode 100644
index 0000000000..e2de8317c3
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_curator_publish_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/access-allowed-property/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+:CuratorPublishDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_editor_add_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_editor_add_data_property.n3
new file mode 100644
index 0000000000..c315b3d701
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_editor_add_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/access-allowed-property/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+:EditorAddDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_editor_display_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_editor_display_data_property.n3
new file mode 100644
index 0000000000..54d31adb3f
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_editor_display_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/access-allowed-property/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+:EditorDisplayDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_editor_drop_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_editor_drop_data_property.n3
new file mode 100644
index 0000000000..db9d72d5de
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_editor_drop_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/access-allowed-property/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+:EditorDropDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_editor_edit_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_editor_edit_data_property.n3
new file mode 100644
index 0000000000..bcd8fac81e
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_editor_edit_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/access-allowed-property/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+:EditorEditDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_editor_publish_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_editor_publish_data_property.n3
new file mode 100644
index 0000000000..76fe7db899
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_editor_publish_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/access-allowed-property/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+:EditorPublishDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_public_display_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_public_display_data_property.n3
new file mode 100644
index 0000000000..b32b610d07
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_public_display_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/access-allowed-property/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+:PublicDisplayDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_self_editor_add_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_self_editor_add_data_property.n3
new file mode 100644
index 0000000000..0cb7427dd6
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_self_editor_add_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/update-related-allowed-property/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+:SelfEditorAddDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_self_editor_display_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_self_editor_display_data_property.n3
new file mode 100644
index 0000000000..54e097b06a
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_self_editor_display_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/related-allowed-property/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+:SelfEditorDisplayDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_self_editor_drop_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_self_editor_drop_data_property.n3
new file mode 100644
index 0000000000..ddbcccda5d
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_self_editor_drop_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/update-related-allowed-property/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+:SelfEditorDropDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_self_editor_edit_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_self_editor_edit_data_property.n3
new file mode 100644
index 0000000000..6b5cb3679b
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_self_editor_edit_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/update-related-allowed-property/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+:SelfEditorEditDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_self_editor_publish_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_self_editor_publish_data_property.n3
new file mode 100644
index 0000000000..070180a3a7
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_self_editor_publish_data_property.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/related-allowed-property/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+:SelfEditorPublishDataPropertyValueSet access:value
+    <http://www.w3.org/2000/01/rdf-schema#label> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/attributes.n3 b/home/src/main/resources/rdf/accessControl/firsttime/attributes.n3
new file mode 100644
index 0000000000..5eb157c322
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/attributes.n3
@@ -0,0 +1,31 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+access-individual:Subject a access:AttributeType ;
+    access:id "SUBJECT" .
+
+access-individual:SubjectRole a access:AttributeType ;
+    access:id "SUBJECT_ROLE_URI" .
+
+access-individual:SubjectType a access:AttributeType ;
+    access:id "SUBJECT_TYPE" .
+
+access-individual:AccessObjectUri a access:AttributeType ;
+    access:id "ACCESS_OBJECT_URI" .
+
+access-individual:AccessObjectType a access:AttributeType ;
+    access:id "ACCESS_OBJECT_TYPE" .
+
+access-individual:Operation a access:AttributeType ;
+    access:id "OPERATION" .
+
+access-individual:StatementPredicateUri a access:AttributeType ;
+    access:id "STATEMENT_PREDICATE_URI" .
+
+access-individual:StatementSubjectUri a access:AttributeType ;
+    access:id "STATEMENT_SUBJECT_URI" .
+
+access-individual:StatementObjectUri a access:AttributeType ;
+    access:id "STATEMENT_OBJECT_URI" .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/decisions.n3 b/home/src/main/resources/rdf/accessControl/firsttime/decisions.n3
new file mode 100644
index 0000000000..43d3c8d779
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/decisions.n3
@@ -0,0 +1,10 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+access-individual:Deny a access:Decision;
+    access:id "DENY" .
+
+access-individual:Allow a access:Decision;
+    access:id "ALLOW" .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/object_types.n3 b/home/src/main/resources/rdf/accessControl/firsttime/object_types.n3
new file mode 100644
index 0000000000..1e7a953583
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/object_types.n3
@@ -0,0 +1,63 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+access-individual:ObjectProperty a access:ObjectType ;
+    access:id "OBJECT_PROPERTY" .
+
+access-individual:DataProperty a access:ObjectType ;
+    access:id "DATA_PROPERTY" .
+
+access-individual:FauxDataProperty a access:ObjectType ;
+    access:id "FAUX_DATA_PROPERTY" .
+
+access-individual:FauxObjectProperty a access:ObjectType ;
+    access:id "FAUX_OBJECT_PROPERTY" .
+
+access-individual:ObjectPropertyStatement a access:ObjectType ;
+    access:id "OBJECT_PROPERTY_STATEMENT" .
+
+access-individual:DataPropertyStatement a access:ObjectType ;
+    access:id "DATA_PROPERTY_STATEMENT" .
+
+access-individual:FauxObjectPropertyStatement a access:ObjectType ;
+    access:id "FAUX_OBJECT_PROPERTY_STATEMENT" .
+
+access-individual:FauxDataPropertyStatement a access:ObjectType ;
+    access:id "FAUX_DATA_PROPERTY_STATEMENT" .
+
+access-individual:Class a access:ObjectType ;
+    access:id "CLASS" .
+
+access-individual:NamedObject a access:ObjectType ;
+    access:id "NAMED_OBJECT" .
+
+#Object type value containers
+
+access-individual:ObjectPropertyValueSet a access:ValueSet ;
+    access:value access-individual:ObjectProperty .
+
+access-individual:DataPropertyValueSet a access:ValueSet ;
+    access:value access-individual:DataProperty .
+
+access-individual:FauxObjectPropertyValueSet a access:ValueSet ;
+    access:value access-individual:FauxObjectProperty .
+
+access-individual:FauxDataPropertyValueSet a access:ValueSet ;
+    access:value access-individual:FauxDataProperty .
+
+access-individual:ObjectPropertyStatementValueSet a access:ValueSet ;
+    access:value access-individual:ObjectPropertyStatement .
+
+access-individual:DataPropertyStatementValueSet a access:ValueSet ;
+    access:value access-individual:DataPropertyStatement .
+
+access-individual:FauxObjectPropertyStatementValueSet a access:ValueSet ;
+    access:value access-individual:FauxObjectPropertyStatement .
+
+access-individual:FauxDataPropertyStatementValueSet a access:ValueSet ;
+    access:value access-individual:FauxDataPropertyStatement .
+
+access-individual:ClassValueSet a access:ValueSet ;
+    access:value access-individual:Class .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/operations.n3 b/home/src/main/resources/rdf/accessControl/firsttime/operations.n3
new file mode 100644
index 0000000000..1b260ec9a5
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/operations.n3
@@ -0,0 +1,46 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+access-individual:DisplayOperation a access:Operation ;
+    access:id "DISPLAY" .
+
+access-individual:UpdateOperation a access:Operation ;
+    access:id "UPDATE" .
+
+access-individual:PublishOperation a access:Operation ;
+    access:id "PUBLISH" .    
+
+access-individual:AddOperation a access:Operation ;
+    access:id "ADD" .
+
+access-individual:DropOperation a access:Operation ;
+    access:id "DROP" .
+
+access-individual:EditOperation a access:Operation ;
+    access:id "EDIT" .
+
+access-individual:ExecuteOperation a access:Operation ;
+    access:id "EXECUTE" .
+
+access-individual:DisplayOperationValueSet a access:ValueSet ;
+    access:value access-individual:DisplayOperation .
+
+access-individual:UpdateOperationValueSet a access:ValueSet ;
+    access:value access-individual:UpdateOperation .
+
+access-individual:PublishOperationValueSet a access:ValueSet ;
+    access:value access-individual:PublishOperation .
+
+access-individual:AddOperationValueSet a access:ValueSet ;
+    access:value access-individual:AddOperation .
+
+access-individual:DropOperationValueSet a access:ValueSet ;
+    access:value access-individual:DropOperation .
+
+access-individual:EditOperationValueSet a access:ValueSet ;
+    access:value access-individual:EditOperation .
+
+access-individual:ExecuteOperationValueSet a access:ValueSet ;
+    access:value access-individual:ExecuteOperation .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/operators.n3 b/home/src/main/resources/rdf/accessControl/firsttime/operators.n3
new file mode 100644
index 0000000000..9684ed967c
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/operators.n3
@@ -0,0 +1,22 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+access-individual:Equals a access:Operator;
+    access:id "EQUALS" .
+
+access-individual:NotEquals a access:Operator;
+    access:id "NOT_EQUALS" .
+
+access-individual:OneOf a access:Operator;
+    access:id "ONE_OF" .
+
+access-individual:NotOneOf a access:Operator;
+    access:id "NOT_ONE_OF" .
+
+access-individual:StartsWith a access:Operator;
+    access:id "STARTS_WITH" .
+
+access-individual:SparqlSelectQueryContains a access:Operator;
+    access:id "SPARQL_SELECT_QUERY_CONTAINS" .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/policy_menu_items_editing.n3 b/home/src/main/resources/rdf/accessControl/firsttime/policy_menu_items_editing.n3
new file mode 100644
index 0000000000..d17a4a78f9
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/policy_menu_items_editing.n3
@@ -0,0 +1,49 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/restrict-home-menu-items-editing/> .
+
+:Policy a access:Policy ;
+    access:priority 9000 ;
+    access:hasRule :RestrictEdit ;
+    access:hasRule :RestrictDrop .
+
+:RestrictEdit a access:Rule ;
+    access:hasDecision access-individual:Deny ;
+    access:requiresCheck :IsEditOperationCheck ;
+    access:requiresCheck :IsObjectPropertyStatement ;
+    access:requiresCheck :PredicateUriEqualsHomeMenuItem ;
+    access:requiresCheck :ObjectUriEqualsHasElement .
+
+:RestrictDrop a access:Rule ;
+    access:hasDecision access-individual:Deny ;
+    access:requiresCheck :IsDropOperationCheck ;
+    access:requiresCheck :IsObjectPropertyStatement ;
+    access:requiresCheck :PredicateUriEqualsHomeMenuItem ;
+    access:requiresCheck :ObjectUriEqualsHasElement .
+
+:IsEditOperationCheck a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:Operation ;
+    access:value access-individual:EditOperation .
+
+:IsDropOperationCheck a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:Operation ;
+    access:value access-individual:DropOperation .
+
+:IsObjectPropertyStatement a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:AccessObjectType ;
+    access:value access-individual:ObjectPropertyStatement .
+
+:PredicateUriEqualsHomeMenuItem a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:StatementPredicateUri ;
+    access:value <http://vitro.mannlib.cornell.edu/ontologies/display/1.1#HomeMenuItem> .
+
+:ObjectUriEqualsHasElement a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:StatementObjectUri ;
+    access:value <http://vitro.mannlib.cornell.edu/ontologies/display/1.1#hasElement> .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/policy_related_editable_pages.n3 b/home/src/main/resources/rdf/accessControl/firsttime/policy_related_editable_pages.n3
new file mode 100644
index 0000000000..c024f38106
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/policy_related_editable_pages.n3
@@ -0,0 +1,51 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/edit-related-individual-pages/> .
+
+:Policy a access:Policy ;
+    access:hasRule :AllowEditRelatedPagesRule .
+
+:AllowEditRelatedPagesRule a access:Rule;
+    access:requiresCheck :SubjectRoleIsSelfEditor ;
+    access:requiresCheck :SubjectUriIsProfileRelatedResource ;
+    access:requiresCheck :IsEditOperation ;
+    access:requiresCheck :IsObjectPropertyStatement ;
+    access:requiresCheck :ObjectUriIsSomeUri ;
+    access:requiresCheck :PredicateIsSomePredicate .
+
+:SubjectRoleIsSelfEditor a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:SubjectRole ;
+    access:value access-individual:SelfEditorRoleUri .
+
+:IsEditOperation a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:Operation ;
+    access:value access-individual:EditOperation .
+
+:PredicateIsSomePredicate a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:StatementPredicateUri ;
+    access:value :SomeUri .
+
+:ObjectUriIsSomeUri a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:StatementObjectUri ;
+    access:value :SomeUri .
+
+:SubjectUriIsProfileRelatedResource a access:Check ;
+    access:useOperator access-individual:SparqlSelectQueryContains ;
+    access:hasTypeToCheck access-individual:StatementSubjectUri ;
+    access:value access-individual:PersonProfileProximityToResourceUri .
+
+:IsObjectPropertyStatement a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:AccessObjectType ;
+    access:value access-individual:ObjectPropertyStatement .
+
+:SomeUri a access:AttributeUriValue ;
+    access:id "?SOME_URI" .
+
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/policy_root_user.n3 b/home/src/main/resources/rdf/accessControl/firsttime/policy_root_user.n3
new file mode 100644
index 0000000000..c6904ffeb9
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/policy_root_user.n3
@@ -0,0 +1,18 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/root-user/> .
+
+:Policy a access:Policy ;
+    access:priority 10000 ;
+    access:hasRule :AllowRootUserRule .
+
+:AllowRootUserRule a access:Rule;
+    access:requiresCheck :IsRootUserCheck .
+
+:IsRootUserCheck a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:SubjectType ;
+    access:value access-individual:RootUserSubject .
+
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/profile_proximity_query.n3 b/home/src/main/resources/rdf/accessControl/firsttime/profile_proximity_query.n3
new file mode 100644
index 0000000000..f1e67b43e7
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/profile_proximity_query.n3
@@ -0,0 +1,12 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+access-individual:PersonProfileProximityToResourceUri a access:SparqlSelectValuesQuery ;
+    access:id """
+    SELECT ?resourceUri WHERE {
+          BIND ( ?personUri as ?resourceUri)
+    }
+    """ .
+
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/roles.n3 b/home/src/main/resources/rdf/accessControl/firsttime/roles.n3
new file mode 100644
index 0000000000..de2c219e3f
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/roles.n3
@@ -0,0 +1,35 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+access-individual:PublicRoleUri a access:SubjectRoleUri ;
+    access:id "http://vitro.mannlib.cornell.edu/ns/vitro/authorization#PUBLIC" .
+
+access-individual:SelfEditorRoleUri a access:SubjectRoleUri ;
+    access:id "http://vitro.mannlib.cornell.edu/ns/vitro/authorization#SELF_EDITOR" .
+
+access-individual:EditorRoleUri a access:SubjectRoleUri ;
+    access:id "http://vitro.mannlib.cornell.edu/ns/vitro/authorization#EDITOR" .
+
+access-individual:CuratorRoleUri a access:SubjectRoleUri ;
+    access:id "http://vitro.mannlib.cornell.edu/ns/vitro/authorization#CURATOR" .
+
+access-individual:AdminRoleUri a access:SubjectRoleUri ;
+    access:id "http://vitro.mannlib.cornell.edu/ns/vitro/authorization#ADMIN" .
+
+access-individual:PublicRoleValueSet a access:ValueSet ;
+    access:value access-individual:PublicRoleUri .
+
+access-individual:SelfEditorRoleValueSet a access:ValueSet ;
+    access:value access-individual:SelfEditorRoleUri .
+
+access-individual:EditorRoleValueSet a access:ValueSet ;
+    access:value access-individual:EditorRoleUri .
+
+access-individual:CuratorRoleValueSet a access:ValueSet ;
+    access:value access-individual:CuratorRoleUri .
+
+access-individual:AdminRoleValueSet a access:ValueSet ;
+    access:value access-individual:AdminRoleUri .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/simple_permissions_admin.n3 b/home/src/main/resources/rdf/accessControl/firsttime/simple_permissions_admin.n3
new file mode 100644
index 0000000000..d22823672d
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/simple_permissions_admin.n3
@@ -0,0 +1,55 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix simplePermission: <java:edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission#> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/simple-permissions/> .
+
+:AdminSimplePermissionValueSet
+    access:value simplePermission:AccessSpecialDataModels ;
+    access:value simplePermission:EnableDeveloperPanel ;
+    access:value simplePermission:LoginDuringMaintenance ;
+    access:value simplePermission:ManageMenus ;
+    access:value simplePermission:ManageProxies ;
+    access:value simplePermission:ManageSearchIndex ;
+    access:value simplePermission:ManageUserAccounts ;
+    access:value simplePermission:RefreshVisualizationCache ;
+    access:value simplePermission:SeeConfiguration ;
+    access:value simplePermission:SeeStartupStatus ;
+    access:value simplePermission:UseAdvancedDataToolsPages ;
+    access:value simplePermission:UseMiscellaneousAdminPages ;
+    access:value simplePermission:UseSparqlQueryPage ;
+    access:value simplePermission:PageViewableAdmin ;
+
+    # Uncomment the following permission line to enable the SPARQL update API.
+    # Before enabling, be sure that the URL api/sparqlUpdate is secured by HTTPS,
+    # so passwords will not be sent in clear text.
+    #access:value simplePermission:UseSparqlUpdateApi ;
+
+    # permissions for CURATOR and above.
+    access:value simplePermission:EditOntology ;
+    access:value simplePermission:EditSiteInformation ;
+    access:value simplePermission:SeeVerbosePropertyInformation ;
+    access:value simplePermission:UseMiscellaneousCuratorPages ;
+    access:value simplePermission:PageViewableCurator ;
+
+    # permissions for EDITOR and above.
+    access:value simplePermission:DoBackEndEditing ;
+    access:value simplePermission:SeeIndividualEditingPanel ;
+    access:value simplePermission:SeeRevisionInfo ;
+    access:value simplePermission:SeeSiteAdminPage ;
+    access:value simplePermission:UseIndividualControlPanel ;
+    access:value simplePermission:PageViewableEditor ;
+
+    # permissions for ANY logged-in user.
+    access:value simplePermission:DoFrontEndEditing ;
+    access:value simplePermission:EditOwnAccount ;
+    access:value simplePermission:ManageOwnProxies ;
+    access:value simplePermission:QueryUserAccountsModel ;
+    access:value simplePermission:UseBasicAjaxControllers ;
+    access:value simplePermission:UseMiscellaneousPages ;
+    access:value simplePermission:PageViewableLoggedIn ;
+
+    # permissions for ANY user, even if they are not logged in.
+    access:value simplePermission:QueryFullModel ;
+    access:value simplePermission:PageViewablePublic ;
+    .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/simple_permissions_curator.n3 b/home/src/main/resources/rdf/accessControl/firsttime/simple_permissions_curator.n3
new file mode 100644
index 0000000000..d488b8e54f
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/simple_permissions_curator.n3
@@ -0,0 +1,34 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix simplePermission: <java:edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission#> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/simple-permissions/> .
+
+:CuratorSimplePermissionValueSet
+    access:value simplePermission:EditOntology ;
+    access:value simplePermission:EditSiteInformation ;
+    access:value simplePermission:SeeVerbosePropertyInformation ;
+    access:value simplePermission:UseMiscellaneousCuratorPages ;
+    access:value simplePermission:PageViewableCurator ;
+
+    # permissions for EDITOR and above.
+    access:value simplePermission:DoBackEndEditing ;
+    access:value simplePermission:SeeIndividualEditingPanel ;
+    access:value simplePermission:SeeRevisionInfo ;
+    access:value simplePermission:SeeSiteAdminPage ;
+    access:value simplePermission:UseIndividualControlPanel ;
+    access:value simplePermission:PageViewableEditor ;
+
+    # permissions for ANY logged-in user.
+    access:value simplePermission:DoFrontEndEditing ;
+    access:value simplePermission:EditOwnAccount ;
+    access:value simplePermission:ManageOwnProxies ;
+    access:value simplePermission:QueryUserAccountsModel ;
+    access:value simplePermission:UseBasicAjaxControllers ;
+    access:value simplePermission:UseMiscellaneousPages ;
+    access:value simplePermission:PageViewableLoggedIn ;
+
+    # permissions for ANY user, even if they are not logged in.
+    access:value simplePermission:QueryFullModel ;
+    access:value simplePermission:PageViewablePublic ;
+    .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/simple_permissions_editor.n3 b/home/src/main/resources/rdf/accessControl/firsttime/simple_permissions_editor.n3
new file mode 100644
index 0000000000..ec155b9fdf
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/simple_permissions_editor.n3
@@ -0,0 +1,28 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix simplePermission: <java:edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission#> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/simple-permissions/> .
+
+:EditorSimplePermissionValueSet
+    # permissions for EDITOR and above.
+    access:value simplePermission:DoBackEndEditing ;
+    access:value simplePermission:SeeIndividualEditingPanel ;
+    access:value simplePermission:SeeRevisionInfo ;
+    access:value simplePermission:SeeSiteAdminPage ;
+    access:value simplePermission:UseIndividualControlPanel ;
+    access:value simplePermission:PageViewableEditor ;
+
+    # permissions for ANY logged-in user.
+    access:value simplePermission:DoFrontEndEditing ;
+    access:value simplePermission:EditOwnAccount ;
+    access:value simplePermission:ManageOwnProxies ;
+    access:value simplePermission:QueryUserAccountsModel ;
+    access:value simplePermission:UseBasicAjaxControllers ;
+    access:value simplePermission:UseMiscellaneousPages ;
+    access:value simplePermission:PageViewableLoggedIn ;
+
+    # permissions for ANY user, even if they are not logged in.
+    access:value simplePermission:QueryFullModel ;
+    access:value simplePermission:PageViewablePublic ;
+    .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/simple_permissions_public.n3 b/home/src/main/resources/rdf/accessControl/firsttime/simple_permissions_public.n3
new file mode 100644
index 0000000000..ac7759568e
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/simple_permissions_public.n3
@@ -0,0 +1,11 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix simplePermission: <java:edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission#> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/simple-permissions/> .
+
+:PublicSimplePermissionValueSet  
+    # permissions for ANY user, even if they are not logged in.
+    access:value simplePermission:QueryFullModel ;
+    access:value simplePermission:PageViewablePublic ;
+    .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/simple_permissions_self_editor.n3 b/home/src/main/resources/rdf/accessControl/firsttime/simple_permissions_self_editor.n3
new file mode 100644
index 0000000000..217a729d3a
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/simple_permissions_self_editor.n3
@@ -0,0 +1,20 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix simplePermission: <java:edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission#> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/simple-permissions/> .
+
+:SelfEditorSimplePermissionValueSet
+    # permissions for ANY logged-in user.
+    access:value simplePermission:DoFrontEndEditing ;
+    access:value simplePermission:EditOwnAccount ;
+    access:value simplePermission:ManageOwnProxies ;
+    access:value simplePermission:QueryUserAccountsModel ;
+    access:value simplePermission:UseBasicAjaxControllers ;
+    access:value simplePermission:UseMiscellaneousPages ;
+    access:value simplePermission:PageViewableLoggedIn ;
+
+    # permissions for ANY user, even if they are not logged in.
+    access:value simplePermission:QueryFullModel ;
+	access:value simplePermission:PageViewablePublic ;
+    .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/subject_types.n3 b/home/src/main/resources/rdf/accessControl/firsttime/subject_types.n3
new file mode 100644
index 0000000000..bf808a8008
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/subject_types.n3
@@ -0,0 +1,7 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+access-individual:RootUserSubject a access:SubjectType ;
+     access:id "ROOT_USER" .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_class.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_class.n3
new file mode 100644
index 0000000000..d35a71c5f8
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_class.n3
@@ -0,0 +1,398 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/access-allowed-class/> .
+
+:PolicyTemplate a access:PolicyTemplate ;
+    access:hasRule :AllowMatchingClass ;
+
+    access:hasDataSet :PublicDisplayClassDataSet ;
+    access:hasDataSet :SelfEditorDisplayClassDataSet ;
+    access:hasDataSet :EditorDisplayClassDataSet ;
+    access:hasDataSet :CuratorDisplayClassDataSet ;
+    access:hasDataSet :AdminDisplayClassDataSet ;
+
+    access:hasDataSet :PublicUpdateClassDataSet ;
+    access:hasDataSet :SelfEditorUpdateClassDataSet ;
+    access:hasDataSet :EditorUpdateClassDataSet ;
+    access:hasDataSet :CuratorUpdateClassDataSet ;
+    access:hasDataSet :AdminUpdateClassDataSet ;
+
+    access:hasDataSet :SelfEditorPublishClassDataSet ;
+    access:hasDataSet :EditorPublishClassDataSet ;
+    access:hasDataSet :CuratorPublishClassDataSet ;
+    access:hasDataSet :AdminPublishClassDataSet ;
+
+    access:hasDataSetTemplate :RoleDisplayClassDataSetTemplate ;
+    access:hasDataSetTemplate :RoleUpdateClassDataSetTemplate ;
+    access:hasDataSetTemplate :RolePublishClassDataSetTemplate ;
+    .
+
+#Role Display Class data set template
+
+:RoleDisplayClassDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleDisplayClassDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RoleDisplayClassDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:ClassValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:dataSetValueTemplate :RoleDisplayClassRoleValueSetTemplate ;
+    access:dataSetValueTemplate :RoleDisplayClassValueSetTemplate .  
+
+:RoleDisplayClassDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleDisplayClassDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:Class ;
+    access:hasKeyComponent access-individual:DisplayOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleDisplayClassRoleValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleCheck;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RoleDisplayClassValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriCheck ;
+#    access:value access-individual:defaultUri ;
+    access:containsElementsOfType access-individual:Class .
+
+#Role Update Class data set template
+
+:RoleUpdateClassDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleUpdateClassDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RoleUpdateClassDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:ClassValueSet ;
+    access:hasRelatedValueSet access-individual:UpdateOperationValueSet ;
+    access:dataSetValueTemplate :RoleUpdateClassRoleValueSetTemplate ;
+    access:dataSetValueTemplate :RoleUpdateClassValueSetTemplate .  
+
+:RoleUpdateClassDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleUpdateClassDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:Class ;
+    access:hasKeyComponent access-individual:UpdateOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleUpdateClassRoleValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleCheck;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RoleUpdateClassValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriCheck ;
+#    access:value access-individual:defaultUri ;
+    access:containsElementsOfType access-individual:Class .
+
+#Role Publish Class data set template
+
+:RolePublishClassDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RolePublishClassDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RolePublishClassDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:ClassValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:dataSetValueTemplate :RolePublishClassRoleValueSetTemplate ;
+    access:dataSetValueTemplate :RolePublishClassValueSetTemplate .  
+
+:RolePublishClassDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RolePublishClassDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:Class ;
+    access:hasKeyComponent access-individual:PublishOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RolePublishClassRoleValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleCheck;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RolePublishClassValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriCheck ;
+#    access:value access-individual:defaultUri ;
+    access:containsElementsOfType access-individual:Class .
+
+### Public display class uri data sets
+
+:PublicDisplayClassDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicDisplayClassDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ClassValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :PublicDisplayClassValueSet .
+
+:PublicDisplayClassDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:Class ;
+    access:hasKeyComponent access-individual:PublicRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+### Self editor display class uri data sets
+
+:SelfEditorDisplayClassDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorDisplayClassDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ClassValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorDisplayClassValueSet .
+
+:SelfEditorDisplayClassDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:Class ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+### Editor display class uri data sets
+
+:EditorDisplayClassDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorDisplayClassDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ClassValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :EditorDisplayClassValueSet .
+
+:EditorDisplayClassDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:Class ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+### Curator display class uri data sets
+
+:CuratorDisplayClassDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorDisplayClassDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ClassValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :CuratorDisplayClassValueSet .
+
+:CuratorDisplayClassDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:Class ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+### Admin display class uri data sets
+
+:AdminDisplayClassDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminDisplayClassDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ClassValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :AdminDisplayClassValueSet .
+
+:AdminDisplayClassDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:Class ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+### Public update class uri data sets
+
+:PublicUpdateClassDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicUpdateClassDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ClassValueSet ;
+    access:hasRelatedValueSet access-individual:UpdateOperationValueSet ;
+    access:hasRelatedValueSet :PublicUpdateClassValueSet .
+
+:PublicUpdateClassDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:Class ;
+    access:hasKeyComponent access-individual:PublicRoleUri ;
+    access:hasKeyComponent access-individual:UpdateOperation .
+
+### Self editor update class uri data sets
+
+:SelfEditorUpdateClassDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorUpdateClassDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ClassValueSet ;
+    access:hasRelatedValueSet access-individual:UpdateOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorUpdateClassValueSet .
+
+:SelfEditorUpdateClassDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:Class ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:UpdateOperation .
+
+### Editor update class uri data sets
+
+:EditorUpdateClassDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorUpdateClassDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ClassValueSet ;
+    access:hasRelatedValueSet access-individual:UpdateOperationValueSet ;
+    access:hasRelatedValueSet :EditorUpdateClassValueSet .
+
+:EditorUpdateClassDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:Class ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:UpdateOperation .
+
+### Curator update class uri data sets
+
+:CuratorUpdateClassDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorUpdateClassDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ClassValueSet ;
+    access:hasRelatedValueSet access-individual:UpdateOperationValueSet ;
+    access:hasRelatedValueSet :CuratorUpdateClassValueSet .
+
+:CuratorUpdateClassDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:Class ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:UpdateOperation .
+
+### Admin update class uri data sets
+
+:AdminUpdateClassDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminUpdateClassDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ClassValueSet ;
+    access:hasRelatedValueSet access-individual:UpdateOperationValueSet ;
+    access:hasRelatedValueSet :AdminUpdateClassValueSet .
+
+:AdminUpdateClassDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:Class ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:UpdateOperation .
+
+### Self editor publish class uri data sets
+
+:SelfEditorPublishClassDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorPublishClassDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ClassValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorPublishClassValueSet .
+
+:SelfEditorPublishClassDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:Class ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+### Editor publish class uri data sets
+
+:EditorPublishClassDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorPublishClassDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ClassValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :EditorPublishClassValueSet .
+
+:EditorPublishClassDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:Class ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+### Curator publish class uri data sets
+
+:CuratorPublishClassDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorPublishClassDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ClassValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :CuratorPublishClassValueSet .
+
+:CuratorPublishClassDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:Class ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+### Admin publish class uri data sets
+
+:AdminPublishClassDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminPublishClassDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ClassValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :AdminPublishClassValueSet .
+
+:AdminPublishClassDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:Class ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+:AllowMatchingClass a access:Rule;
+    access:requiresCheck :SubjectRoleCheck ;
+    access:requiresCheck :OperationCheck ;
+    access:requiresCheck :AccessObjectTypeCheck ;
+    access:requiresCheck :AccessObjectUriCheck .
+
+:AccessObjectTypeCheck a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:AccessObjectType ;
+    access:values access-individual:ClassValueSet ;
+    .
+
+:OperationCheck a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:Operation ;
+    access:values access-individual:DisplayOperationValueSet ;
+    access:values access-individual:PublishOperationValueSet ;
+    access:values access-individual:UpdateOperationValueSet ;
+    .
+
+:SubjectRoleCheck a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:SubjectRole ;
+    access:values access-individual:PublicRoleValueSet ;
+    access:values access-individual:SelfEditorRoleValueSet ;
+    access:values access-individual:EditorRoleValueSet ;
+    access:values access-individual:CuratorRoleValueSet ;
+    access:values access-individual:AdminRoleValueSet .
+
+:AccessObjectUriCheck a access:Check ;
+    access:useOperator access-individual:OneOf ;
+    access:hasTypeToCheck access-individual:AccessObjectUri ;
+    access:values :AdminPublishClassValueSet ;
+    access:values :AdminDisplayClassValueSet ;
+    access:values :AdminUpdateClassValueSet ;
+    access:values :CuratorPublishClassValueSet ;
+    access:values :CuratorDisplayClassValueSet ;
+    access:values :CuratorUpdateClassValueSet ;
+    access:values :EditorPublishClassValueSet ;
+    access:values :EditorDisplayClassValueSet ;
+    access:values :EditorUpdateClassValueSet ;
+    access:values :SelfEditorPublishClassValueSet ;
+    access:values :SelfEditorDisplayClassValueSet ;
+    access:values :SelfEditorUpdateClassValueSet ;
+    access:values :PublicDisplayClassValueSet ;
+    access:values :PublicUpdateClassValueSet ;
+    .
+
+:AdminPublishClassValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:Class .
+
+:AdminDisplayClassValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:Class .
+
+:AdminUpdateClassValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:Class .
+
+:CuratorPublishClassValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:Class .
+
+:CuratorDisplayClassValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:Class .
+
+:CuratorUpdateClassValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:Class .
+
+:EditorPublishClassValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:Class .
+
+:EditorDisplayClassValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:Class .
+
+:EditorUpdateClassValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:Class .
+
+:SelfEditorPublishClassValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:Class .
+
+:SelfEditorDisplayClassValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:Class .
+
+:SelfEditorUpdateClassValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:Class .
+
+:PublicDisplayClassValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:Class .
+
+:PublicUpdateClassValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:Class .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_property.n3
new file mode 100644
index 0000000000..a4f4be4415
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_property.n3
@@ -0,0 +1,2168 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/access-allowed-property/> .
+
+:PolicyTemplate a access:PolicyTemplate ;
+    access:hasRule :AllowMatchingPropertyStatement ;
+    access:hasRule :AllowMatchingProperty ;
+
+    access:hasDataSet :PublicDisplayObjectPropertyDataSet ;
+    access:hasDataSet :EditorDisplayObjectPropertyDataSet ;
+    access:hasDataSet :CuratorDisplayObjectPropertyDataSet ;
+    access:hasDataSet :AdminDisplayObjectPropertyDataSet ;
+
+    access:hasDataSet :PublicDisplayDataPropertyDataSet ;
+    access:hasDataSet :EditorDisplayDataPropertyDataSet ;
+    access:hasDataSet :CuratorDisplayDataPropertyDataSet ;
+    access:hasDataSet :AdminDisplayDataPropertyDataSet ;
+
+    access:hasDataSet :PublicDisplayFauxObjectPropertyDataSet ;
+    access:hasDataSet :EditorDisplayFauxObjectPropertyDataSet ;
+    access:hasDataSet :CuratorDisplayFauxObjectPropertyDataSet ;
+    access:hasDataSet :AdminDisplayFauxObjectPropertyDataSet ;
+
+    access:hasDataSet :PublicDisplayFauxDataPropertyDataSet ;
+    access:hasDataSet :EditorDisplayFauxDataPropertyDataSet ;
+    access:hasDataSet :CuratorDisplayFauxDataPropertyDataSet ;
+    access:hasDataSet :AdminDisplayFauxDataPropertyDataSet ;
+
+    access:hasDataSet :EditorPublishObjectPropertyDataSet ;
+    access:hasDataSet :CuratorPublishObjectPropertyDataSet ;
+    access:hasDataSet :AdminPublishObjectPropertyDataSet ;
+
+    access:hasDataSet :EditorPublishDataPropertyDataSet ;
+    access:hasDataSet :CuratorPublishDataPropertyDataSet ;
+    access:hasDataSet :AdminPublishDataPropertyDataSet ;
+
+    access:hasDataSet :EditorPublishFauxObjectPropertyDataSet ;
+    access:hasDataSet :CuratorPublishFauxObjectPropertyDataSet ;
+    access:hasDataSet :AdminPublishFauxObjectPropertyDataSet ;
+
+    access:hasDataSet :EditorPublishFauxDataPropertyDataSet ;
+    access:hasDataSet :CuratorPublishFauxDataPropertyDataSet ;
+    access:hasDataSet :AdminPublishFauxDataPropertyDataSet ;
+
+    access:hasDataSet :PublicEditObjectPropertyDataSet ;
+    access:hasDataSet :EditorEditObjectPropertyDataSet ;
+    access:hasDataSet :CuratorEditObjectPropertyDataSet ;
+    access:hasDataSet :AdminEditObjectPropertyDataSet ;
+
+    access:hasDataSet :PublicAddObjectPropertyDataSet ;
+    access:hasDataSet :EditorAddObjectPropertyDataSet ;
+    access:hasDataSet :CuratorAddObjectPropertyDataSet ;
+    access:hasDataSet :AdminAddObjectPropertyDataSet ;
+
+    access:hasDataSet :PublicDropObjectPropertyDataSet ;
+    access:hasDataSet :EditorDropObjectPropertyDataSet ;
+    access:hasDataSet :CuratorDropObjectPropertyDataSet ;
+    access:hasDataSet :AdminDropObjectPropertyDataSet ;
+
+    access:hasDataSet :PublicEditDataPropertyDataSet ;
+    access:hasDataSet :EditorEditDataPropertyDataSet ;
+    access:hasDataSet :CuratorEditDataPropertyDataSet ;
+    access:hasDataSet :AdminEditDataPropertyDataSet ;
+
+    access:hasDataSet :PublicAddDataPropertyDataSet ;
+    access:hasDataSet :EditorAddDataPropertyDataSet ;
+    access:hasDataSet :CuratorAddDataPropertyDataSet ;
+    access:hasDataSet :AdminAddDataPropertyDataSet ;
+
+    access:hasDataSet :PublicDropDataPropertyDataSet ;
+    access:hasDataSet :EditorDropDataPropertyDataSet ;
+    access:hasDataSet :CuratorDropDataPropertyDataSet ;
+    access:hasDataSet :AdminDropDataPropertyDataSet ;
+
+    access:hasDataSet :PublicEditFauxObjectPropertyDataSet ;
+    access:hasDataSet :EditorEditFauxObjectPropertyDataSet ;
+    access:hasDataSet :CuratorEditFauxObjectPropertyDataSet ;
+    access:hasDataSet :AdminEditFauxObjectPropertyDataSet ;
+
+    access:hasDataSet :PublicAddFauxObjectPropertyDataSet ;
+    access:hasDataSet :EditorAddFauxObjectPropertyDataSet ;
+    access:hasDataSet :CuratorAddFauxObjectPropertyDataSet ;
+    access:hasDataSet :AdminAddFauxObjectPropertyDataSet ;
+
+    access:hasDataSet :PublicDropFauxObjectPropertyDataSet ;
+    access:hasDataSet :EditorDropFauxObjectPropertyDataSet ;
+    access:hasDataSet :CuratorDropFauxObjectPropertyDataSet ;
+    access:hasDataSet :AdminDropFauxObjectPropertyDataSet ;
+
+    access:hasDataSet :PublicEditFauxDataPropertyDataSet ;
+    access:hasDataSet :EditorEditFauxDataPropertyDataSet ;
+    access:hasDataSet :CuratorEditFauxDataPropertyDataSet ;
+    access:hasDataSet :AdminEditFauxDataPropertyDataSet ;
+
+    access:hasDataSet :PublicAddFauxDataPropertyDataSet ;
+    access:hasDataSet :EditorAddFauxDataPropertyDataSet ;
+    access:hasDataSet :CuratorAddFauxDataPropertyDataSet ;
+    access:hasDataSet :AdminAddFauxDataPropertyDataSet ;
+
+    access:hasDataSet :PublicDropFauxDataPropertyDataSet ;
+    access:hasDataSet :EditorDropFauxDataPropertyDataSet ;
+    access:hasDataSet :CuratorDropFauxDataPropertyDataSet ;
+    access:hasDataSet :AdminDropFauxDataPropertyDataSet ;
+
+    access:hasDataSetTemplate :RoleDisplayObjectPropertyDataSetTemplate ;
+    access:hasDataSetTemplate :RolePublishObjectPropertyDataSetTemplate ;
+    access:hasDataSetTemplate :RoleAddObjectPropertyDataSetTemplate ;
+    access:hasDataSetTemplate :RoleDropObjectPropertyDataSetTemplate ;
+
+    access:hasDataSetTemplate :RoleEditObjectPropertyDataSetTemplate ;
+    access:hasDataSetTemplate :RoleDisplayDataPropertyDataSetTemplate ;
+    access:hasDataSetTemplate :RolePublishDataPropertyDataSetTemplate ;
+    access:hasDataSetTemplate :RoleAddDataPropertyDataSetTemplate ;
+
+    access:hasDataSetTemplate :RoleDropDataPropertyDataSetTemplate ;
+    access:hasDataSetTemplate :RoleEditDataPropertyDataSetTemplate ;
+    access:hasDataSetTemplate :RoleDisplayFauxObjectPropertyDataSetTemplate ;
+    access:hasDataSetTemplate :RolePublishFauxObjectPropertyDataSetTemplate ;
+
+    access:hasDataSetTemplate :RoleAddFauxObjectPropertyDataSetTemplate ;
+    access:hasDataSetTemplate :RoleDropFauxObjectPropertyDataSetTemplate ;
+    access:hasDataSetTemplate :RoleEditFauxObjectPropertyDataSetTemplate ;
+    access:hasDataSetTemplate :RoleDisplayFauxDataPropertyDataSetTemplate ;
+
+    access:hasDataSetTemplate :RolePublishFauxDataPropertyDataSetTemplate ;
+    access:hasDataSetTemplate :RoleAddFauxDataPropertyDataSetTemplate ;
+    access:hasDataSetTemplate :RoleDropFauxDataPropertyDataSetTemplate ;
+    access:hasDataSetTemplate :RoleEditFauxDataPropertyDataSetTemplate ;
+    .
+
+
+
+#Role DisplayObjectProperty data set template
+
+:RoleDisplayObjectPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleDisplayObjectPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RoleDisplayObjectPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:dataSetValueTemplate :RoleDisplayObjectPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RoleDisplayObjectPropertyEntityValueSetTemplate .  
+
+:RoleDisplayObjectPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleDisplayObjectPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:DisplayOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleDisplayObjectPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RoleDisplayObjectPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+    access:value rdfs:label ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+
+#Role PublishObjectProperty data set template
+
+:RolePublishObjectPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RolePublishObjectPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RolePublishObjectPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:dataSetValueTemplate :RolePublishObjectPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RolePublishObjectPropertyEntityValueSetTemplate .  
+
+:RolePublishObjectPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RolePublishObjectPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:PublishOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RolePublishObjectPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RolePublishObjectPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+    access:value rdfs:label ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+
+#Role AddObjectProperty data set template
+
+:RoleAddObjectPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleAddObjectPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RoleAddObjectPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:dataSetValueTemplate :RoleAddObjectPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RoleAddObjectPropertyEntityValueSetTemplate .  
+
+:RoleAddObjectPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleAddObjectPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:AddOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleAddObjectPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RoleAddObjectPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+    access:value rdfs:label ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+
+#Role DropObjectProperty data set template
+
+:RoleDropObjectPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleDropObjectPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RoleDropObjectPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:dataSetValueTemplate :RoleDropObjectPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RoleDropObjectPropertyEntityValueSetTemplate .  
+
+:RoleDropObjectPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleDropObjectPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:DropOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleDropObjectPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RoleDropObjectPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+    access:value rdfs:label ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+
+#Role EditObjectProperty data set template
+
+:RoleEditObjectPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleEditObjectPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RoleEditObjectPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:dataSetValueTemplate :RoleEditObjectPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RoleEditObjectPropertyEntityValueSetTemplate .  
+
+:RoleEditObjectPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleEditObjectPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:EditOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleEditObjectPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RoleEditObjectPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+    access:value rdfs:label ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+
+#Role DisplayDataProperty data set template
+
+:RoleDisplayDataPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleDisplayDataPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RoleDisplayDataPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:dataSetValueTemplate :RoleDisplayDataPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RoleDisplayDataPropertyEntityValueSetTemplate .  
+
+:RoleDisplayDataPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleDisplayDataPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:DisplayOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleDisplayDataPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RoleDisplayDataPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+#    access:value access-individual:defaultUri ;
+    access:containsElementsOfType access-individual:DataProperty .
+
+#Role PublishDataProperty data set template
+
+:RolePublishDataPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RolePublishDataPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RolePublishDataPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:dataSetValueTemplate :RolePublishDataPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RolePublishDataPropertyEntityValueSetTemplate .  
+
+:RolePublishDataPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RolePublishDataPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:PublishOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RolePublishDataPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RolePublishDataPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+#    access:value access-individual:defaultUri ;
+    access:containsElementsOfType access-individual:DataProperty .
+
+#Role AddDataProperty data set template
+
+:RoleAddDataPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleAddDataPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RoleAddDataPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:dataSetValueTemplate :RoleAddDataPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RoleAddDataPropertyEntityValueSetTemplate .  
+
+:RoleAddDataPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleAddDataPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:AddOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleAddDataPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RoleAddDataPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+#    access:value access-individual:defaultUri ;
+    access:containsElementsOfType access-individual:DataProperty .
+
+#Role DropDataProperty data set template
+
+:RoleDropDataPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleDropDataPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RoleDropDataPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:dataSetValueTemplate :RoleDropDataPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RoleDropDataPropertyEntityValueSetTemplate .  
+
+:RoleDropDataPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleDropDataPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:DropOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleDropDataPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RoleDropDataPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+#    access:value access-individual:defaultUri ;
+    access:containsElementsOfType access-individual:DataProperty .
+
+#Role EditDataProperty data set template
+
+:RoleEditDataPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleEditDataPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RoleEditDataPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:dataSetValueTemplate :RoleEditDataPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RoleEditDataPropertyEntityValueSetTemplate .  
+
+:RoleEditDataPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleEditDataPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:EditOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleEditDataPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RoleEditDataPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+#    access:value access-individual:defaultUri ;
+    access:containsElementsOfType access-individual:DataProperty .
+
+#Role DisplayFauxObjectProperty data set template
+
+:RoleDisplayFauxObjectPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleDisplayFauxObjectPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RoleDisplayFauxObjectPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:dataSetValueTemplate :RoleDisplayFauxObjectPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RoleDisplayFauxObjectPropertyEntityValueSetTemplate .  
+
+:RoleDisplayFauxObjectPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleDisplayFauxObjectPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:DisplayOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleDisplayFauxObjectPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RoleDisplayFauxObjectPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+#    access:value access-individual:defaultUri ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+
+#Role PublishFauxObjectProperty data set template
+
+:RolePublishFauxObjectPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RolePublishFauxObjectPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RolePublishFauxObjectPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:dataSetValueTemplate :RolePublishFauxObjectPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RolePublishFauxObjectPropertyEntityValueSetTemplate .  
+
+:RolePublishFauxObjectPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RolePublishFauxObjectPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:PublishOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RolePublishFauxObjectPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RolePublishFauxObjectPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+#    access:value access-individual:defaultUri ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+
+#Role AddFauxObjectProperty data set template
+
+:RoleAddFauxObjectPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleAddFauxObjectPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RoleAddFauxObjectPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:dataSetValueTemplate :RoleAddFauxObjectPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RoleAddFauxObjectPropertyEntityValueSetTemplate .  
+
+:RoleAddFauxObjectPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleAddFauxObjectPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:AddOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleAddFauxObjectPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RoleAddFauxObjectPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+#    access:value access-individual:defaultUri ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+
+#Role DropFauxObjectProperty data set template
+
+:RoleDropFauxObjectPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleDropFauxObjectPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RoleDropFauxObjectPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:dataSetValueTemplate :RoleDropFauxObjectPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RoleDropFauxObjectPropertyEntityValueSetTemplate .  
+
+:RoleDropFauxObjectPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleDropFauxObjectPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:DropOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleDropFauxObjectPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RoleDropFauxObjectPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+#    access:value access-individual:defaultUri ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+
+#Role EditFauxObjectProperty data set template
+
+:RoleEditFauxObjectPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleEditFauxObjectPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RoleEditFauxObjectPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:dataSetValueTemplate :RoleEditFauxObjectPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RoleEditFauxObjectPropertyEntityValueSetTemplate .  
+
+:RoleEditFauxObjectPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleEditFauxObjectPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:EditOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleEditFauxObjectPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RoleEditFauxObjectPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+#    access:value access-individual:defaultUri ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+
+#Role DisplayFauxDataProperty data set template
+
+:RoleDisplayFauxDataPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleDisplayFauxDataPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RoleDisplayFauxDataPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:dataSetValueTemplate :RoleDisplayFauxDataPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RoleDisplayFauxDataPropertyEntityValueSetTemplate .  
+
+:RoleDisplayFauxDataPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleDisplayFauxDataPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:DisplayOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleDisplayFauxDataPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RoleDisplayFauxDataPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+#    access:value access-individual:defaultUri ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+
+#Role PublishFauxDataProperty data set template
+
+:RolePublishFauxDataPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RolePublishFauxDataPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RolePublishFauxDataPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:dataSetValueTemplate :RolePublishFauxDataPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RolePublishFauxDataPropertyEntityValueSetTemplate .  
+
+:RolePublishFauxDataPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RolePublishFauxDataPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:PublishOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RolePublishFauxDataPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RolePublishFauxDataPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+#    access:value access-individual:defaultUri ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+
+#Role AddFauxDataProperty data set template
+
+:RoleAddFauxDataPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleAddFauxDataPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RoleAddFauxDataPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:dataSetValueTemplate :RoleAddFauxDataPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RoleAddFauxDataPropertyEntityValueSetTemplate .  
+
+:RoleAddFauxDataPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleAddFauxDataPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:AddOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleAddFauxDataPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RoleAddFauxDataPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+#    access:value access-individual:defaultUri ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+
+#Role DropFauxDataProperty data set template
+
+:RoleDropFauxDataPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleDropFauxDataPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RoleDropFauxDataPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:dataSetValueTemplate :RoleDropFauxDataPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RoleDropFauxDataPropertyEntityValueSetTemplate .  
+
+:RoleDropFauxDataPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleDropFauxDataPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:DropOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleDropFauxDataPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RoleDropFauxDataPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+#    access:value access-individual:defaultUri ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+
+#Role EditFauxDataProperty data set template
+
+:RoleEditFauxDataPropertyDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleEditFauxDataPropertyDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RoleEditFauxDataPropertyDataSetKeyTemplate ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:dataSetValueTemplate :RoleEditFauxDataPropertyValueSetTemplate ;
+    access:dataSetValueTemplate :RoleEditFauxDataPropertyEntityValueSetTemplate .  
+
+:RoleEditFauxDataPropertyDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleEditFauxDataPropertyDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:EditOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleEditFauxDataPropertyValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRoleAttribute;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RoleEditFauxDataPropertyEntityValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :AccessObjectUriContainsInDataSet ;
+    access:relatedCheck :StatementPredicateEquals ;
+#    access:value access-individual:defaultUri ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+
+
+
+### Drop faux data property data sets
+
+:PublicDropFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicDropFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :PublicDropFauxDataPropertyValueSet .
+
+:PublicDropFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:PublicRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+:EditorDropFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorDropFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :EditorDropFauxDataPropertyValueSet .
+
+:EditorDropFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+:CuratorDropFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorDropFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :CuratorDropFauxDataPropertyValueSet .
+
+:CuratorDropFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+:AdminDropFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminDropFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :AdminDropFauxDataPropertyValueSet .
+
+:AdminDropFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+### Add faux data property data sets
+
+:PublicAddFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicAddFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :PublicAddFauxDataPropertyValueSet .
+
+:PublicAddFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:PublicRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+:EditorAddFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorAddFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :EditorAddFauxDataPropertyValueSet .
+
+:EditorAddFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+:CuratorAddFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorAddFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :CuratorAddFauxDataPropertyValueSet .
+
+:CuratorAddFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+:AdminAddFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminAddFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :AdminAddFauxDataPropertyValueSet .
+
+:AdminAddFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+### Edit faux data property data sets
+
+:PublicEditFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicEditFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :PublicEditFauxDataPropertyValueSet .
+
+:PublicEditFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:PublicRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+:EditorEditFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorEditFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :EditorEditFauxDataPropertyValueSet .
+
+:EditorEditFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+:CuratorEditFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorEditFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :CuratorEditFauxDataPropertyValueSet .
+
+:CuratorEditFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+:AdminEditFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminEditFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :AdminEditFauxDataPropertyValueSet .
+
+:AdminEditFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+### Drop faux object property data sets
+
+:PublicDropFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicDropFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :PublicDropFauxObjectPropertyValueSet .
+
+:PublicDropFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:PublicRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+:EditorDropFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorDropFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :EditorDropFauxObjectPropertyValueSet .
+
+:EditorDropFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+:CuratorDropFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorDropFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :CuratorDropFauxObjectPropertyValueSet .
+
+:CuratorDropFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+:AdminDropFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminDropFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :AdminDropFauxObjectPropertyValueSet .
+
+:AdminDropFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+### Add faux object property data sets
+
+:PublicAddFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicAddFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :PublicAddFauxObjectPropertyValueSet .
+
+:PublicAddFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:PublicRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+:EditorAddFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorAddFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :EditorAddFauxObjectPropertyValueSet .
+
+:EditorAddFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+:CuratorAddFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorAddFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :CuratorAddFauxObjectPropertyValueSet .
+
+:CuratorAddFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+:AdminAddFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminAddFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :AdminAddFauxObjectPropertyValueSet .
+
+:AdminAddFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+### Edit faux object property data sets
+
+:PublicEditFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicEditFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :PublicEditFauxObjectPropertyValueSet .
+
+:PublicEditFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:PublicRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+:EditorEditFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorEditFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :EditorEditFauxObjectPropertyValueSet .
+
+:EditorEditFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+:CuratorEditFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorEditFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :CuratorEditFauxObjectPropertyValueSet .
+
+:CuratorEditFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+:AdminEditFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminEditFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :AdminEditFauxObjectPropertyValueSet .
+
+:AdminEditFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+### Drop data property data sets
+
+:PublicDropDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicDropDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :PublicDropDataPropertyValueSet .
+
+:PublicDropDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:PublicRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+:EditorDropDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorDropDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :EditorDropDataPropertyValueSet .
+
+:EditorDropDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+:CuratorDropDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorDropDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :CuratorDropDataPropertyValueSet .
+
+:CuratorDropDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+:AdminDropDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminDropDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :AdminDropDataPropertyValueSet .
+
+:AdminDropDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+### Add data property data sets
+
+:PublicAddDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicAddDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :PublicAddDataPropertyValueSet .
+
+:PublicAddDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:PublicRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+:EditorAddDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorAddDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :EditorAddDataPropertyValueSet .
+
+:EditorAddDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+:CuratorAddDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorAddDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :CuratorAddDataPropertyValueSet .
+
+:CuratorAddDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+:AdminAddDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminAddDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :AdminAddDataPropertyValueSet .
+
+:AdminAddDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+### Edit data property data sets
+
+:PublicEditDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicEditDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :PublicEditDataPropertyValueSet .
+
+:PublicEditDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:PublicRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+:EditorEditDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorEditDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :EditorEditDataPropertyValueSet .
+
+:EditorEditDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+:CuratorEditDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorEditDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :CuratorEditDataPropertyValueSet .
+
+:CuratorEditDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+:AdminEditDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminEditDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :AdminEditDataPropertyValueSet .
+
+:AdminEditDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+### Drop object property data sets
+
+:PublicDropObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicDropObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :PublicDropObjectPropertyValueSet .
+
+:PublicDropObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:PublicRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+:EditorDropObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorDropObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :EditorDropObjectPropertyValueSet .
+
+:EditorDropObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+:CuratorDropObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorDropObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :CuratorDropObjectPropertyValueSet .
+
+:CuratorDropObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+:AdminDropObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminDropObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :AdminDropObjectPropertyValueSet .
+
+:AdminDropObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+### Add object property data sets
+
+:PublicAddObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicAddObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :PublicAddObjectPropertyValueSet .
+
+:PublicAddObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:PublicRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+:EditorAddObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorAddObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :EditorAddObjectPropertyValueSet .
+
+:EditorAddObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+:CuratorAddObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorAddObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :CuratorAddObjectPropertyValueSet .
+
+:CuratorAddObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+:AdminAddObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminAddObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :AdminAddObjectPropertyValueSet .
+
+:AdminAddObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+### Edit object property data sets
+
+:PublicEditObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicEditObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :PublicEditObjectPropertyValueSet .
+
+:PublicEditObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:PublicRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+:EditorEditObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorEditObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :EditorEditObjectPropertyValueSet .
+
+:EditorEditObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+:CuratorEditObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorEditObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :CuratorEditObjectPropertyValueSet .
+
+:CuratorEditObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+:AdminEditObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminEditObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :AdminEditObjectPropertyValueSet .
+
+:AdminEditObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+
+### Display object property data sets
+
+:PublicDisplayObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicDisplayObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :PublicDisplayObjectPropertyValueSet .
+
+:PublicDisplayObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:PublicRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+:EditorDisplayObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorDisplayObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :EditorDisplayObjectPropertyValueSet .
+
+:EditorDisplayObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+:CuratorDisplayObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorDisplayObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :CuratorDisplayObjectPropertyValueSet .
+
+:CuratorDisplayObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+:AdminDisplayObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminDisplayObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :AdminDisplayObjectPropertyValueSet .
+
+:AdminDisplayObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+### Display data property data sets
+
+:PublicDisplayDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicDisplayDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :PublicDisplayDataPropertyValueSet .
+
+:PublicDisplayDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:PublicRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+:EditorDisplayDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorDisplayDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :EditorDisplayDataPropertyValueSet .
+
+:EditorDisplayDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+:CuratorDisplayDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorDisplayDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :CuratorDisplayDataPropertyValueSet .
+
+:CuratorDisplayDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+:AdminDisplayDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminDisplayDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :AdminDisplayDataPropertyValueSet .
+
+:AdminDisplayDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+### Display faux object property data sets
+
+:PublicDisplayFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicDisplayFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :PublicDisplayFauxObjectPropertyValueSet .
+
+:PublicDisplayFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:PublicRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+:EditorDisplayFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorDisplayFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :EditorDisplayFauxObjectPropertyValueSet .
+
+:EditorDisplayFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+:CuratorDisplayFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorDisplayFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :CuratorDisplayFauxObjectPropertyValueSet .
+
+:CuratorDisplayFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+:AdminDisplayFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminDisplayFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :AdminDisplayFauxObjectPropertyValueSet .
+
+:AdminDisplayFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+### Display faux data property data sets
+
+:PublicDisplayFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicDisplayFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :PublicDisplayFauxDataPropertyValueSet .
+
+:PublicDisplayFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:PublicRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+:EditorDisplayFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorDisplayFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :EditorDisplayFauxDataPropertyValueSet .
+
+:EditorDisplayFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+:CuratorDisplayFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorDisplayFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :CuratorDisplayFauxDataPropertyValueSet .
+
+:CuratorDisplayFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+:AdminDisplayFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminDisplayFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :AdminDisplayFauxDataPropertyValueSet .
+
+:AdminDisplayFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+### Publish object property data sets
+
+:EditorPublishObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorPublishObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :EditorPublishObjectPropertyValueSet .
+
+:EditorPublishObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+:CuratorPublishObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorPublishObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :CuratorPublishObjectPropertyValueSet .
+
+:CuratorPublishObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+:AdminPublishObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminPublishObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :AdminPublishObjectPropertyValueSet .
+
+:AdminPublishObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+### Publish data property data sets
+
+:EditorPublishDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorPublishDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :EditorPublishDataPropertyValueSet .
+
+:EditorPublishDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+:CuratorPublishDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorPublishDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :CuratorPublishDataPropertyValueSet .
+
+:CuratorPublishDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+:AdminPublishDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminPublishDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :AdminPublishDataPropertyValueSet .
+
+:AdminPublishDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+### Publish faux object property data sets
+
+:EditorPublishFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorPublishFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :EditorPublishFauxObjectPropertyValueSet .
+
+:EditorPublishFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+:CuratorPublishFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorPublishFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :CuratorPublishFauxObjectPropertyValueSet .
+
+:CuratorPublishFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+:AdminPublishFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminPublishFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :AdminPublishFauxObjectPropertyValueSet .
+
+:AdminPublishFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+### Publish faux data property data sets
+
+:EditorPublishFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorPublishFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :EditorPublishFauxDataPropertyValueSet .
+
+:EditorPublishFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:EditorRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+:CuratorPublishFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorPublishFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :CuratorPublishFauxDataPropertyValueSet .
+
+:CuratorPublishFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:CuratorRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+:AdminPublishFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminPublishFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :AdminPublishFauxDataPropertyValueSet .
+
+:AdminPublishFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:AdminRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+:AllowMatchingProperty a access:Rule;
+    access:requiresCheck :SubjectRoleEqualsDataSetRoleAttribute ;
+    access:requiresCheck :OperationEqualsDataSetOperation ;
+    access:requiresCheck :AccessObjectTypeEqualsDataSetValue ;
+    access:requiresCheck :AccessObjectUriContainsInDataSet .
+
+:AccessObjectTypeEqualsDataSetValue a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:AccessObjectType ;
+    access:values access-individual:ObjectPropertyValueSet ;
+    access:values access-individual:DataPropertyValueSet ;
+    access:values access-individual:FauxObjectPropertyValueSet ;
+    access:values access-individual:FauxDataPropertyValueSet ;
+    .
+
+:AllowMatchingPropertyStatement a access:Rule;
+    access:requiresCheck :SubjectRoleEqualsDataSetRoleAttribute ;
+    access:requiresCheck :OperationEqualsDataSetOperation ;
+    access:requiresCheck :AccessObjectTypeStatementEquals ;
+    access:requiresCheck :StatementPredicateEquals ;
+    .
+
+:AccessObjectTypeStatementEquals a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:AccessObjectType ;
+    access:values access-individual:ObjectPropertyStatementValueSet ;
+    access:values access-individual:DataPropertyStatementValueSet ;
+    access:values access-individual:FauxObjectPropertyStatementValueSet ;
+    access:values access-individual:FauxDataPropertyStatementValueSet ;
+    .
+
+:OperationEqualsDataSetOperation a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:Operation ;
+    access:values access-individual:DisplayOperationValueSet ;
+    access:values access-individual:PublishOperationValueSet ;
+    access:values access-individual:EditOperationValueSet ;
+    access:values access-individual:AddOperationValueSet ;
+    access:values access-individual:DropOperationValueSet ;
+    .
+
+:SubjectRoleEqualsDataSetRoleAttribute a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:SubjectRole ;
+    access:values access-individual:PublicRoleValueSet ;
+    access:values access-individual:EditorRoleValueSet ;
+    access:values access-individual:CuratorRoleValueSet ;
+    access:values access-individual:AdminRoleValueSet .
+
+:StatementPredicateEquals a access:Check ;
+    access:useOperator access-individual:OneOf ;
+    access:hasTypeToCheck access-individual:StatementPredicateUri ;
+    access:values :PublicDisplayObjectPropertyValueSet ;
+    access:values :EditorDisplayObjectPropertyValueSet ;
+    access:values :CuratorDisplayObjectPropertyValueSet ;
+    access:values :AdminDisplayObjectPropertyValueSet ;
+
+    access:values :PublicDisplayDataPropertyValueSet ;
+    access:values :EditorDisplayDataPropertyValueSet ;
+    access:values :CuratorDisplayDataPropertyValueSet ;
+    access:values :AdminDisplayDataPropertyValueSet ;
+
+    access:values :PublicDisplayFauxObjectPropertyValueSet ;
+    access:values :EditorDisplayFauxObjectPropertyValueSet ;
+    access:values :CuratorDisplayFauxObjectPropertyValueSet ;
+    access:values :AdminDisplayFauxObjectPropertyValueSet ;
+
+    access:values :PublicDisplayFauxDataPropertyValueSet ;   
+    access:values :EditorDisplayFauxDataPropertyValueSet ;
+    access:values :CuratorDisplayFauxDataPropertyValueSet ;
+    access:values :AdminDisplayFauxDataPropertyValueSet ;
+
+    access:values :EditorPublishObjectPropertyValueSet ;
+    access:values :CuratorPublishObjectPropertyValueSet ;
+    access:values :AdminPublishObjectPropertyValueSet ;
+
+    access:values :EditorPublishDataPropertyValueSet ;
+    access:values :CuratorPublishDataPropertyValueSet ;
+    access:values :AdminPublishDataPropertyValueSet ;
+
+    access:values :EditorPublishFauxObjectPropertyValueSet ;
+    access:values :CuratorPublishFauxObjectPropertyValueSet ;
+    access:values :AdminPublishFauxObjectPropertyValueSet ;
+
+    access:values :EditorPublishFauxDataPropertyValueSet ;
+    access:values :CuratorPublishFauxDataPropertyValueSet ;
+    access:values :AdminPublishFauxDataPropertyValueSet ;
+
+    access:values :PublicEditObjectPropertyValueSet ;
+    access:values :EditorEditObjectPropertyValueSet ;
+    access:values :CuratorEditObjectPropertyValueSet ;
+    access:values :AdminEditObjectPropertyValueSet ;
+
+    access:values :PublicAddObjectPropertyValueSet ;
+    access:values :EditorAddObjectPropertyValueSet ;
+    access:values :CuratorAddObjectPropertyValueSet ;
+    access:values :AdminAddObjectPropertyValueSet ;
+
+    access:values :PublicDropObjectPropertyValueSet ;
+    access:values :EditorDropObjectPropertyValueSet ;
+    access:values :CuratorDropObjectPropertyValueSet ;
+    access:values :AdminDropObjectPropertyValueSet ;
+
+    access:values :PublicEditDataPropertyValueSet ;
+    access:values :EditorEditDataPropertyValueSet ;
+    access:values :CuratorEditDataPropertyValueSet ;
+    access:values :AdminEditDataPropertyValueSet ;
+
+    access:values :PublicAddDataPropertyValueSet ;
+    access:values :EditorAddDataPropertyValueSet ;
+    access:values :CuratorAddDataPropertyValueSet ;
+    access:values :AdminAddDataPropertyValueSet ;
+
+    access:values :PublicDropDataPropertyValueSet ;
+    access:values :EditorDropDataPropertyValueSet ;
+    access:values :CuratorDropDataPropertyValueSet ;
+    access:values :AdminDropDataPropertyValueSet ;
+
+    access:values :PublicEditFauxObjectPropertyValueSet ;
+    access:values :EditorEditFauxObjectPropertyValueSet ;
+    access:values :CuratorEditFauxObjectPropertyValueSet ;
+    access:values :AdminEditFauxObjectPropertyValueSet ;
+
+    access:values :PublicAddFauxObjectPropertyValueSet ;
+    access:values :EditorAddFauxObjectPropertyValueSet ;
+    access:values :CuratorAddFauxObjectPropertyValueSet ;
+    access:values :AdminAddFauxObjectPropertyValueSet ;
+
+    access:values :PublicDropFauxObjectPropertyValueSet ;
+    access:values :EditorDropFauxObjectPropertyValueSet ;
+    access:values :CuratorDropFauxObjectPropertyValueSet ;
+    access:values :AdminDropFauxObjectPropertyValueSet ;
+
+    access:values :PublicEditFauxDataPropertyValueSet ;
+    access:values :EditorEditFauxDataPropertyValueSet ;
+    access:values :CuratorEditFauxDataPropertyValueSet ;
+    access:values :AdminEditFauxDataPropertyValueSet ;
+
+    access:values :PublicAddFauxDataPropertyValueSet ;
+    access:values :EditorAddFauxDataPropertyValueSet ;
+    access:values :CuratorAddFauxDataPropertyValueSet ;
+    access:values :AdminAddFauxDataPropertyValueSet ;
+
+    access:values :PublicDropFauxDataPropertyValueSet ;
+    access:values :EditorDropFauxDataPropertyValueSet ;
+    access:values :CuratorDropFauxDataPropertyValueSet ;
+    access:values :AdminDropFauxDataPropertyValueSet ;
+    .
+
+:AccessObjectUriContainsInDataSet a access:Check ;
+    access:useOperator access-individual:OneOf ;
+    access:hasTypeToCheck access-individual:AccessObjectUri ;
+    access:values :PublicDisplayObjectPropertyValueSet ;
+    access:values :EditorDisplayObjectPropertyValueSet ;
+    access:values :CuratorDisplayObjectPropertyValueSet ;
+    access:values :AdminDisplayObjectPropertyValueSet ;
+
+    access:values :PublicDisplayDataPropertyValueSet ;
+    access:values :EditorDisplayDataPropertyValueSet ;
+    access:values :CuratorDisplayDataPropertyValueSet ;
+    access:values :AdminDisplayDataPropertyValueSet ;
+
+    access:values :PublicDisplayFauxObjectPropertyValueSet ;
+    access:values :EditorDisplayFauxObjectPropertyValueSet ;
+    access:values :CuratorDisplayFauxObjectPropertyValueSet ;
+    access:values :AdminDisplayFauxObjectPropertyValueSet ;
+
+    access:values :PublicDisplayFauxDataPropertyValueSet ;   
+    access:values :EditorDisplayFauxDataPropertyValueSet ;
+    access:values :CuratorDisplayFauxDataPropertyValueSet ;
+    access:values :AdminDisplayFauxDataPropertyValueSet ;
+
+    access:values :EditorPublishObjectPropertyValueSet ;
+    access:values :CuratorPublishObjectPropertyValueSet ;
+    access:values :AdminPublishObjectPropertyValueSet ;
+
+    access:values :EditorPublishDataPropertyValueSet ;
+    access:values :CuratorPublishDataPropertyValueSet ;
+    access:values :AdminPublishDataPropertyValueSet ;
+
+    access:values :EditorPublishFauxObjectPropertyValueSet ;
+    access:values :CuratorPublishFauxObjectPropertyValueSet ;
+    access:values :AdminPublishFauxObjectPropertyValueSet ;
+
+    access:values :EditorPublishFauxDataPropertyValueSet ;
+    access:values :CuratorPublishFauxDataPropertyValueSet ;
+    access:values :AdminPublishFauxDataPropertyValueSet ;
+
+    access:values :PublicEditObjectPropertyValueSet ;
+    access:values :EditorEditObjectPropertyValueSet ;
+    access:values :CuratorEditObjectPropertyValueSet ;
+    access:values :AdminEditObjectPropertyValueSet ;
+
+    access:values :PublicAddObjectPropertyValueSet ;
+    access:values :EditorAddObjectPropertyValueSet ;
+    access:values :CuratorAddObjectPropertyValueSet ;
+    access:values :AdminAddObjectPropertyValueSet ;
+
+    access:values :PublicDropObjectPropertyValueSet ;
+    access:values :EditorDropObjectPropertyValueSet ;
+    access:values :CuratorDropObjectPropertyValueSet ;
+    access:values :AdminDropObjectPropertyValueSet ;
+
+    access:values :PublicEditDataPropertyValueSet ;
+    access:values :EditorEditDataPropertyValueSet ;
+    access:values :CuratorEditDataPropertyValueSet ;
+    access:values :AdminEditDataPropertyValueSet ;
+
+    access:values :PublicAddDataPropertyValueSet ;
+    access:values :EditorAddDataPropertyValueSet ;
+    access:values :CuratorAddDataPropertyValueSet ;
+    access:values :AdminAddDataPropertyValueSet ;
+
+    access:values :PublicDropDataPropertyValueSet ;
+    access:values :EditorDropDataPropertyValueSet ;
+    access:values :CuratorDropDataPropertyValueSet ;
+    access:values :AdminDropDataPropertyValueSet ;
+
+    access:values :PublicEditFauxObjectPropertyValueSet ;
+    access:values :EditorEditFauxObjectPropertyValueSet ;
+    access:values :CuratorEditFauxObjectPropertyValueSet ;
+    access:values :AdminEditFauxObjectPropertyValueSet ;
+
+    access:values :PublicAddFauxObjectPropertyValueSet ;
+    access:values :EditorAddFauxObjectPropertyValueSet ;
+    access:values :CuratorAddFauxObjectPropertyValueSet ;
+    access:values :AdminAddFauxObjectPropertyValueSet ;
+
+    access:values :PublicDropFauxObjectPropertyValueSet ;
+    access:values :EditorDropFauxObjectPropertyValueSet ;
+    access:values :CuratorDropFauxObjectPropertyValueSet ;
+    access:values :AdminDropFauxObjectPropertyValueSet ;
+
+    access:values :PublicEditFauxDataPropertyValueSet ;
+    access:values :EditorEditFauxDataPropertyValueSet ;
+    access:values :CuratorEditFauxDataPropertyValueSet ;
+    access:values :AdminEditFauxDataPropertyValueSet ;
+
+    access:values :PublicAddFauxDataPropertyValueSet ;
+    access:values :EditorAddFauxDataPropertyValueSet ;
+    access:values :CuratorAddFauxDataPropertyValueSet ;
+    access:values :AdminAddFauxDataPropertyValueSet ;
+
+    access:values :PublicDropFauxDataPropertyValueSet ;
+    access:values :EditorDropFauxDataPropertyValueSet ;
+    access:values :CuratorDropFauxDataPropertyValueSet ;
+    access:values :AdminDropFauxDataPropertyValueSet ;
+    .
+
+:PublicDropFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+:EditorDropFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+:CuratorDropFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+:AdminDropFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+
+:PublicAddFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+:EditorAddFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+:CuratorAddFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+:AdminAddFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+
+:PublicEditFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+:EditorEditFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+:CuratorEditFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+:AdminEditFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+
+:PublicDropFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+:EditorDropFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+:CuratorDropFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+:AdminDropFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+
+:PublicAddFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+:EditorAddFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+:CuratorAddFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+:AdminAddFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+
+:PublicEditFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+:EditorEditFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+:CuratorEditFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+:AdminEditFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+
+
+:PublicDropDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+:EditorDropDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+:CuratorDropDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+:AdminDropDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+
+:PublicAddDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+:EditorAddDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+:CuratorAddDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+:AdminAddDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+
+:PublicEditDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+:EditorEditDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+:CuratorEditDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+:AdminEditDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+
+:PublicDropObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+:EditorDropObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+:CuratorDropObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+:AdminDropObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+
+:PublicAddObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+:EditorAddObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+:CuratorAddObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+:AdminAddObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+
+:PublicEditObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+:EditorEditObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+:CuratorEditObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+:AdminEditObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+
+:PublicDisplayObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+:EditorDisplayObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+:CuratorDisplayObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+:AdminDisplayObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+
+:PublicDisplayDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+:EditorDisplayDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+:CuratorDisplayDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+:AdminDisplayDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+
+:PublicDisplayFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+:EditorDisplayFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+:CuratorDisplayFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+:AdminDisplayFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+
+:PublicDisplayFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+:EditorDisplayFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+:CuratorDisplayFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+:AdminDisplayFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+
+:EditorPublishObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+:CuratorPublishObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+:AdminPublishObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+
+:EditorPublishDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+:CuratorPublishDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+:AdminPublishDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+
+:EditorPublishFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+:CuratorPublishFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+:AdminPublishFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+
+:EditorPublishFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+:CuratorPublishFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+:AdminPublishFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_access_related_allowed_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_access_related_allowed_property.n3
new file mode 100644
index 0000000000..e63dedc2f5
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/template_access_related_allowed_property.n3
@@ -0,0 +1,226 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/related-allowed-property/> .
+
+:PolicyTemplate a access:PolicyTemplate ;
+    access:hasRule :AllowMatchingPropertyStatement ;
+    access:hasRule :AllowMatchingProperty ;
+
+    access:hasDataSet :SelfEditorDisplayObjectPropertyDataSet ;
+    access:hasDataSet :SelfEditorDisplayDataPropertyDataSet ;
+    access:hasDataSet :SelfEditorDisplayFauxObjectPropertyDataSet ;
+    access:hasDataSet :SelfEditorDisplayFauxDataPropertyDataSet ;
+    access:hasDataSet :SelfEditorPublishObjectPropertyDataSet ;
+    access:hasDataSet :SelfEditorPublishDataPropertyDataSet ;
+    access:hasDataSet :SelfEditorPublishFauxObjectPropertyDataSet ;
+    access:hasDataSet :SelfEditorPublishFauxDataPropertyDataSet ;
+    .
+
+### Display object property data sets
+
+:SelfEditorDisplayObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorDisplayObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorDisplayObjectPropertyValueSet .
+
+:SelfEditorDisplayObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+### Display data property data sets
+
+:SelfEditorDisplayDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorDisplayDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorDisplayDataPropertyValueSet .
+
+:SelfEditorDisplayDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+### Display faux object property data sets
+
+:SelfEditorDisplayFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorDisplayFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorDisplayFauxObjectPropertyValueSet .
+
+:SelfEditorDisplayFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+### Display faux data property data sets
+
+:SelfEditorDisplayFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorDisplayFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DisplayOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorDisplayFauxDataPropertyValueSet .
+
+:SelfEditorDisplayFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:DisplayOperation .
+
+### Publish object property data sets
+
+:SelfEditorPublishObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorPublishObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorPublishObjectPropertyValueSet .
+
+:SelfEditorPublishObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+### Publish data property data sets
+
+:SelfEditorPublishDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorPublishDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorPublishDataPropertyValueSet .
+
+:SelfEditorPublishDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+### Publish faux object property data sets
+
+:SelfEditorPublishFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorPublishFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorPublishFauxObjectPropertyValueSet .
+
+:SelfEditorPublishFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+### Publish faux data property data sets
+
+:SelfEditorPublishFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorPublishFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:PublishOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorPublishFauxDataPropertyValueSet .
+
+:SelfEditorPublishFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:PublishOperation .
+
+:AllowMatchingProperty a access:Rule;
+    access:requiresCheck :SubjectRoleCheck ;
+    access:requiresCheck :OperationCheck ;
+    access:requiresCheck :AccessObjectTypeCheck ;
+    access:requiresCheck :AccessObjectUriCheck .
+
+:AccessObjectTypeCheck a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:AccessObjectType ;
+    access:values access-individual:ObjectPropertyValueSet ;
+    access:values access-individual:DataPropertyValueSet ;
+    access:values access-individual:FauxObjectPropertyValueSet ;
+    access:values access-individual:FauxDataPropertyValueSet ;
+    .
+
+:AllowMatchingPropertyStatement a access:Rule;
+    access:requiresCheck :SubjectRoleCheck ;
+    access:requiresCheck :OperationCheck ;
+    access:requiresCheck :AccessObjectStatementTypeCheck ;
+    access:requiresCheck :StatementPredicateCheck ;
+    .
+
+:AccessObjectStatementTypeCheck a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:AccessObjectType ;
+    access:values access-individual:ObjectPropertyStatementValueSet ;
+    access:values access-individual:DataPropertyStatementValueSet ;
+    access:values access-individual:FauxObjectPropertyStatementValueSet ;
+    access:values access-individual:FauxDataPropertyStatementValueSet ;
+    .
+
+:OperationCheck a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:Operation ;
+    access:values access-individual:DisplayOperationValueSet ;
+    access:values access-individual:PublishOperationValueSet ;
+    .
+
+:SubjectRoleCheck a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:SubjectRole ;
+    access:values access-individual:SelfEditorRoleValueSet .
+
+:StatementPredicateCheck a access:Check ;
+    access:useOperator access-individual:OneOf ;
+    access:hasTypeToCheck access-individual:StatementPredicateUri ;
+    access:values :SelfEditorDisplayObjectPropertyValueSet ;
+    access:values :SelfEditorDisplayDataPropertyValueSet ;
+    access:values :SelfEditorDisplayFauxObjectPropertyValueSet ;
+    access:values :SelfEditorDisplayFauxDataPropertyValueSet ;
+    access:values :SelfEditorPublishObjectPropertyValueSet ;
+    access:values :SelfEditorPublishDataPropertyValueSet ;
+    access:values :SelfEditorPublishFauxObjectPropertyValueSet ;
+    access:values :SelfEditorPublishFauxDataPropertyValueSet ;
+    .
+
+:AccessObjectUriCheck a access:Check ;
+    access:useOperator access-individual:OneOf ;
+    access:hasTypeToCheck access-individual:AccessObjectUri ;
+    access:values :SelfEditorDisplayObjectPropertyValueSet ;
+    access:values :SelfEditorDisplayDataPropertyValueSet ;
+    access:values :SelfEditorDisplayFauxObjectPropertyValueSet ;
+    access:values :SelfEditorDisplayFauxDataPropertyValueSet ;
+    access:values :SelfEditorPublishObjectPropertyValueSet ;
+    access:values :SelfEditorPublishDataPropertyValueSet ;
+    access:values :SelfEditorPublishFauxObjectPropertyValueSet ;
+    access:values :SelfEditorPublishFauxDataPropertyValueSet ;
+    .
+
+:SelfEditorDisplayObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+:SelfEditorDisplayDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+:SelfEditorDisplayFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+:SelfEditorDisplayFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+:SelfEditorPublishObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+:SelfEditorPublishDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+:SelfEditorPublishFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+:SelfEditorPublishFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_editable_pages.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_editable_pages.n3
new file mode 100644
index 0000000000..ec60d0acf7
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/template_editable_pages.n3
@@ -0,0 +1,71 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/edit-individual-pages/> .
+
+:PolicyTemplate a access:PolicyTemplate ;
+    access:hasDataSet :AdminRoleDataSet ;
+    access:hasDataSet :CuratorRoleDataSet ;
+    access:hasDataSet :EditorRoleDataSet ;
+    access:hasDataSetTemplate :RoleDataSetTemplate ;
+    access:hasRule :AllowEditIndividualPagesRule .
+
+:AdminRoleDataSet a access:DataSet ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet .
+
+:CuratorRoleDataSet a access:DataSet ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet .
+
+:EditorRoleDataSet a access:DataSet ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet .
+
+:RoleDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleEditPagesDataSetTemplateKey ;
+    access:dataSetValueTemplate :RoleEditPagesValueSetTemplate .
+
+:RoleEditPagesValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleCheck;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RoleEditPagesDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:AllowEditIndividualPagesRule a access:Rule;
+    access:requiresCheck :SubjectRoleCheck ;
+    access:requiresCheck :IsEditOperation ;
+    access:requiresCheck :IsObjectPropertyStatement ;
+    access:requiresCheck :ObjectUriIsSomeUri ;
+    access:requiresCheck :PredicateIsSomePredicate .
+
+:SubjectRoleCheck a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:SubjectRole ;
+    access:values access-individual:AdminRoleValueSet ;
+    access:values access-individual:CuratorRoleValueSet ;
+    access:values access-individual:EditorRoleValueSet .
+
+:IsEditOperation a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:Operation ;
+    access:value access-individual:EditOperation .
+
+:PredicateIsSomePredicate a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:StatementPredicateUri ;
+    access:value :SomeUri .
+
+:ObjectUriIsSomeUri a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:StatementObjectUri ;
+    access:value :SomeUri .
+
+:IsObjectPropertyStatement a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:AccessObjectType ;
+    access:value access-individual:ObjectPropertyStatement .
+
+:SomeUri a access:AttributeUriValue ;
+    access:id "?SOME_URI" .
+
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_not_modifiable_statements.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_not_modifiable_statements.n3
new file mode 100644
index 0000000000..1d4ef340a5
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/template_not_modifiable_statements.n3
@@ -0,0 +1,115 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/non-modifiable-statements/> .
+
+:PolicyTemplate a access:PolicyTemplate ;
+    access:priority 8000 ;
+    access:hasDataSet :NotModifiableStatementsPolicyDataSet ;
+    access:hasRule :RestrictObjectPropertyStatementsWithNotModifiablePredicate ;
+    access:hasRule :RestrictObjectPropertyStatementsWithNotModifiableSubject ;
+    access:hasRule :RestrictObjectPropertyStatementsWithNotModifiableObject ;
+    access:hasRule :RestrictDataPropertyStatementsWithNotModifiableSubject ;
+    access:hasRule :RestrictDataPropertyStatementsWithNotModifiablePredicate ;
+    .
+
+:RestrictObjectPropertyStatementsWithNotModifiableSubject a access:Rule ;
+    access:hasDecision access-individual:Deny ;
+    access:requiresCheck :IsObjectPropertyStatement ;
+    access:requiresCheck :SubjectUriStartWithProhibitedNamespace ;
+    access:requiresCheck :StatementSubjectNotOneOfProhibitedExceptions .
+
+:RestrictObjectPropertyStatementsWithNotModifiablePredicate a access:Rule ;
+    access:hasDecision access-individual:Deny ;
+    access:requiresCheck :IsObjectPropertyStatement ;
+    access:requiresCheck :PredicateUriStartWithProhibitedNamespace ;
+    access:requiresCheck :PredicateNotANamespaceException .
+
+:RestrictObjectPropertyStatementsWithNotModifiableObject a access:Rule ;
+    access:hasDecision access-individual:Deny ;
+    access:requiresCheck :IsObjectPropertyStatement ;
+    access:requiresCheck :StatementObjectUriStartsWithProhibitedNameSpace ;
+    access:requiresCheck :ObjectUriNotOneOfProhibitedExceptions .
+
+:RestrictDataPropertyStatementsWithNotModifiableSubject a access:Rule ;
+    access:hasDecision access-individual:Deny ;
+    access:requiresCheck :IsDataPropertyStatement ;
+    access:requiresCheck :SubjectUriStartWithProhibitedNamespace ;
+    access:requiresCheck :StatementSubjectNotOneOfProhibitedExceptions .
+
+:RestrictDataPropertyStatementsWithNotModifiablePredicate a access:Rule ;
+    access:hasDecision access-individual:Deny ;
+    access:requiresCheck :IsDataPropertyStatement ;
+    access:requiresCheck :PredicateUriStartWithProhibitedNamespace ;
+    access:requiresCheck :PredicateNotANamespaceException .
+
+:IsObjectPropertyStatement a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:AccessObjectType ;
+    access:value access-individual:ObjectPropertyStatement .
+
+:IsDataPropertyStatement a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:AccessObjectType ;
+    access:value access-individual:DataPropertyStatement .
+
+### Not modifiable property statement attributes
+:PredicateUriStartWithProhibitedNamespace a access:Check ;
+    access:useOperator access-individual:StartsWith ;
+    access:hasTypeToCheck access-individual:StatementPredicateUri ;
+    access:values :ProhibitedNamespaceValueSet .
+
+:PredicateNotANamespaceException a access:Check ;
+    access:useOperator access-individual:NotOneOf ;
+    access:hasTypeToCheck access-individual:StatementPredicateUri ;
+    access:values :ProhibitedNamespaceExceptionsValueSet .
+
+:SubjectUriStartWithProhibitedNamespace a access:Check ;
+    access:useOperator access-individual:StartsWith ;
+    access:hasTypeToCheck access-individual:StatementSubjectUri ;
+    access:values :ProhibitedNamespaceValueSet .
+
+:StatementSubjectNotOneOfProhibitedExceptions a access:Check ;
+    access:useOperator access-individual:NotOneOf ;
+    access:hasTypeToCheck access-individual:StatementSubjectUri ;
+    access:values :ProhibitedNamespaceExceptionsValueSet .
+
+:StatementObjectUriStartsWithProhibitedNameSpace a access:Check ;
+    access:useOperator access-individual:StartsWith ;
+    access:hasTypeToCheck access-individual:StatementObjectUri ;
+    access:values :ProhibitedNamespaceValueSet .
+
+:ObjectUriNotOneOfProhibitedExceptions a access:Check ;
+    access:useOperator access-individual:NotOneOf ;
+    access:hasTypeToCheck access-individual:StatementObjectUri ;
+    access:values :ProhibitedNamespaceExceptionsValueSet .
+
+:NotModifiableStatementsPolicyDataSet a access:DataSet ;
+    access:hasRelatedValueSet :ProhibitedNamespaceExceptionsValueSet ;
+    access:hasRelatedValueSet :ProhibitedNamespaceValueSet .
+
+:ProhibitedNamespaceExceptionsValueSet a access:ValueSet ;
+    .
+
+:ProhibitedNamespaceValueSet a access:ValueSet ;
+    .
+
+:ProhibitedNamespaceExceptionsValueSet
+    access:value <http://vitro.mannlib.cornell.edu/ns/vitro/0.7#moniker> ;
+    access:value <http://vitro.mannlib.cornell.edu/ns/vitro/0.7#modTime> ;
+    access:value <http://vitro.mannlib.cornell.edu/ns/vitro/public#mainImage> ;
+    access:value <http://vitro.mannlib.cornell.edu/ns/vitro/0.7#Link> ;
+    access:value <http://vitro.mannlib.cornell.edu/ns/vitro/0.7#primaryLink> ;
+    access:value <http://vitro.mannlib.cornell.edu/ns/vitro/0.7#additionalLink> ;
+    access:value <http://vitro.mannlib.cornell.edu/ns/vitro/0.7#linkAnchor> ;
+    access:value <http://vitro.mannlib.cornell.edu/ns/vitro/0.7#linkURL> ;
+    .
+
+:ProhibitedNamespaceValueSet
+    access:value  :prohibitedNamespacePrefix ; 
+    .
+
+:prohibitedNamespacePrefix a access:AttributeValuePrefix ;
+    access:id "http://vitro.mannlib.cornell.edu/ns/vitro/0.7#" ;
+    
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_simple_permissions.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_simple_permissions.n3
new file mode 100644
index 0000000000..5f6cc4cce0
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/template_simple_permissions.n3
@@ -0,0 +1,141 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix simplePermission: <java:edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission#> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/simple-permissions/> .
+
+:PolicyTemplate a access:PolicyTemplate ;
+    access:priority 1000 ;
+    access:hasRule :AllowSimplePermission ;
+    access:hasDataSetTemplate :RoleDataSetTemplate ;
+    access:hasDataSet :PublicDataSet ;
+    access:hasDataSet :SelfEditorDataSet ;
+    access:hasDataSet :EditorDataSet ;
+    access:hasDataSet :CuratorDataSet ;
+    access:hasDataSet :AdminDataSet .
+
+#Role data set template
+
+:RoleDataSetTemplate a access:DataSetTemplate ;
+    access:hasDataSetTemplateKey :RoleDataSetTemplateKey ;
+    access:hasDataSetKeyTemplate :RoleDataSetKeyTemplate ;
+    access:dataSetValueTemplate :RoleValueSetTemplate ;
+    access:dataSetValueTemplate :RolePermissionValueSetTemplate .  
+
+:RoleDataSetTemplateKey a access:DataSetTemplateKey ;
+    access:hasTemplateKeyComponent access-individual:SubjectRole .
+
+:RoleDataSetKeyTemplate a access:DataSetKeyTemplate ;
+    access:hasKeyComponent access-individual:NamedObject ;
+    access:hasKeyComponent access-individual:ExecuteOperation ;
+    access:hasKeyComponentTemplate access-individual:SubjectRole .
+
+:RoleValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :SubjectRoleEqualsDataSetRole;
+    access:containsElementsOfType access-individual:SubjectRole .
+
+:RolePermissionValueSetTemplate a access:ValueSetTemplate ;
+    access:relatedCheck :PermissionNameAllowed;
+    access:value simplePermission:PageViewablePublic;
+    access:value simplePermission:QueryFullModel ;
+    access:containsElementsOfType access-individual:NamedObject .
+
+#Data sets
+
+:PublicDataSet a access:DataSet ;
+    access:hasDataSetKey :PublicDataSetKey ;
+    access:hasRelatedValueSet access-individual:PublicRoleValueSet ;
+    access:hasRelatedValueSet :PublicSimplePermissionValueSet .
+
+:PublicDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:NamedObject ;
+    access:hasKeyComponent access-individual:ExecuteOperation ;
+    access:hasKeyComponent access-individual:PublicRoleUri .
+
+:SelfEditorDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet :SelfEditorSimplePermissionValueSet .
+
+:SelfEditorDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:NamedObject ;
+    access:hasKeyComponent access-individual:ExecuteOperation ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri .
+
+:EditorDataSet a access:DataSet ;
+    access:hasDataSetKey :EditorDataSetKey ;
+    access:hasRelatedValueSet access-individual:EditorRoleValueSet ;
+    access:hasRelatedValueSet :EditorSimplePermissionValueSet .
+
+:EditorDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:NamedObject ;
+    access:hasKeyComponent access-individual:ExecuteOperation ;
+    access:hasKeyComponent access-individual:EditorRoleUri .
+
+:CuratorDataSet a access:DataSet ;
+    access:hasDataSetKey :CuratorDataSetKey ;
+    access:hasRelatedValueSet access-individual:CuratorRoleValueSet ;
+    access:hasRelatedValueSet :CuratorSimplePermissionValueSet .
+
+:CuratorDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:NamedObject ;
+    access:hasKeyComponent access-individual:ExecuteOperation ;
+    access:hasKeyComponent access-individual:CuratorRoleUri .
+
+:AdminDataSet a access:DataSet ;
+    access:hasDataSetKey :AdminDataSetKey  ;
+    access:hasRelatedValueSet access-individual:AdminRoleValueSet ;
+    access:hasRelatedValueSet :AdminSimplePermissionValueSet .
+
+:AdminDataSetKey  a access:DataSetKey ;
+    access:hasKeyComponent access-individual:NamedObject ;
+    access:hasKeyComponent access-individual:ExecuteOperation ;
+    access:hasKeyComponent access-individual:AdminRoleUri .
+
+:AllowSimplePermission a access:Rule;
+    access:requiresCheck :IsSimplePermission ;
+    access:requiresCheck :IsExecuteOperation ;
+    access:requiresCheck :PermissionNameAllowed ;
+    access:requiresCheck :SubjectRoleEqualsDataSetRole .
+
+:IsExecuteOperation a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:Operation ;
+    access:value access-individual:ExecuteOperation .
+
+:PermissionNameAllowed a access:Check ;
+    access:useOperator access-individual:OneOf ;
+    access:hasTypeToCheck access-individual:AccessObjectUri ;
+    access:values :PublicSimplePermissionValueSet ;
+    access:values :SelfEditorSimplePermissionValueSet ;
+    access:values :EditorSimplePermissionValueSet ;
+    access:values :CuratorSimplePermissionValueSet ;
+    access:values :AdminSimplePermissionValueSet .
+
+:IsSimplePermission a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:AccessObjectType ;
+    access:value access-individual:NamedObject .
+
+:PublicSimplePermissionValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:NamedObject .
+:SelfEditorSimplePermissionValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:NamedObject .
+:EditorSimplePermissionValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:NamedObject .
+:CuratorSimplePermissionValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:NamedObject .
+:AdminSimplePermissionValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:NamedObject .
+
+:SubjectRoleEqualsDataSetRole a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:SubjectRole ;
+    access:values access-individual:PublicRoleValueSet ;
+    access:values access-individual:SelfEditorRoleValueSet ;
+    access:values access-individual:EditorRoleValueSet ;
+    access:values access-individual:CuratorRoleValueSet ;
+    access:values access-individual:AdminRoleValueSet .
+
diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_update_related_allowed_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_update_related_allowed_property.n3
new file mode 100644
index 0000000000..8f28475ec6
--- /dev/null
+++ b/home/src/main/resources/rdf/accessControl/firsttime/template_update_related_allowed_property.n3
@@ -0,0 +1,321 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
+@prefix access-individual: <https://vivoweb.org/ontology/vitro-application/auth/individual/> .
+@prefix access: <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/individual/update-related-allowed-property/> .
+
+:PolicyTemplate a access:PolicyTemplate ;
+    access:hasRule :AllowMatchingPropertyStatement ;
+    access:hasRule :AllowMatchingProperty ;
+ 
+    access:hasDataSet :SelfEditorAddObjectPropertyDataSet ;
+    access:hasDataSet :SelfEditorAddDataPropertyDataSet ;
+    access:hasDataSet :SelfEditorAddFauxObjectPropertyDataSet ;
+    access:hasDataSet :SelfEditorAddFauxDataPropertyDataSet ;
+
+    access:hasDataSet :SelfEditorEditObjectPropertyDataSet ;
+    access:hasDataSet :SelfEditorEditDataPropertyDataSet ;
+    access:hasDataSet :SelfEditorEditFauxObjectPropertyDataSet ;
+    access:hasDataSet :SelfEditorEditFauxDataPropertyDataSet ;
+
+    access:hasDataSet :SelfEditorDropObjectPropertyDataSet ;
+    access:hasDataSet :SelfEditorDropDataPropertyDataSet ;
+    access:hasDataSet :SelfEditorDropFauxObjectPropertyDataSet ;
+    access:hasDataSet :SelfEditorDropFauxDataPropertyDataSet ;
+    .
+
+### Add object property data sets
+
+:SelfEditorAddObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorAddObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorAddObjectPropertyValueSet .
+
+:SelfEditorAddObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+### Add data property data sets
+
+:SelfEditorAddDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorAddDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorAddDataPropertyValueSet .
+
+:SelfEditorAddDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+### Add faux object property data sets
+
+:SelfEditorAddFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorAddFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorAddFauxObjectPropertyValueSet .
+
+:SelfEditorAddFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+### Add faux data property data sets
+
+:SelfEditorAddFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorAddFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:AddOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorAddFauxDataPropertyValueSet .
+
+:SelfEditorAddFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:AddOperation .
+
+### Drop object property data sets
+
+:SelfEditorDropObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorDropObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorDropObjectPropertyValueSet .
+
+:SelfEditorDropObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+### Drop data property data sets
+
+:SelfEditorDropDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorDropDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorDropDataPropertyValueSet .
+
+:SelfEditorDropDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+### Drop faux object property data sets
+
+:SelfEditorDropFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorDropFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorDropFauxObjectPropertyValueSet .
+
+:SelfEditorDropFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+### Drop faux data property data sets
+
+:SelfEditorDropFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorDropFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:DropOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorDropFauxDataPropertyValueSet .
+
+:SelfEditorDropFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:DropOperation .
+
+### Edit object property data sets
+
+:SelfEditorEditObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorEditObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorEditObjectPropertyValueSet .
+
+:SelfEditorEditObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:ObjectProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+### Edit data property data sets
+
+:SelfEditorEditDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorEditDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorEditDataPropertyValueSet .
+
+:SelfEditorEditDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:DataProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+### Edit faux object property data sets
+
+:SelfEditorEditFauxObjectPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorEditFauxObjectPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorEditFauxObjectPropertyValueSet .
+
+:SelfEditorEditFauxObjectPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxObjectProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+### Edit faux data property data sets
+
+:SelfEditorEditFauxDataPropertyDataSet a access:DataSet ;
+    access:hasDataSetKey :SelfEditorEditFauxDataPropertyDataSetKey ;
+    access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ;
+    access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ;
+    access:hasRelatedValueSet access-individual:EditOperationValueSet ;
+    access:hasRelatedValueSet :SelfEditorEditFauxDataPropertyValueSet .
+
+:SelfEditorEditFauxDataPropertyDataSetKey a access:DataSetKey ;
+    access:hasKeyComponent access-individual:FauxDataProperty ;
+    access:hasKeyComponent access-individual:SelfEditorRoleUri ;
+    access:hasKeyComponent access-individual:EditOperation .
+
+:AllowMatchingProperty a access:Rule;
+    access:requiresCheck :SubjectRoleCheck ;
+    access:requiresCheck :OperationCheck ;
+    access:requiresCheck :AccessObjectTypeCheck ;
+    access:requiresCheck :AccessObjectUriCheck .
+
+:AccessObjectTypeCheck a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:AccessObjectType ;
+    access:values access-individual:ObjectPropertyValueSet ;
+    access:values access-individual:DataPropertyValueSet ;
+    access:values access-individual:FauxObjectPropertyValueSet ;
+    access:values access-individual:FauxDataPropertyValueSet ;
+    .
+
+:AllowMatchingPropertyStatement a access:Rule;
+    access:requiresCheck :SubjectRoleCheck ;
+    access:requiresCheck :OperationCheck ;
+    access:requiresCheck :AccessObjectStatementTypeCheck ;
+    access:requiresCheck :StatementPredicateCheck ;
+    access:requiresCheck :RelationCheck ;
+    .
+
+:RelationCheck a access:Check ;
+    access:useOperator access-individual:SparqlSelectQueryContains ;
+    access:hasTypeToCheck access-individual:StatementSubjectUri ;
+    access:value access-individual:PersonProfileProximityToResourceUri .
+
+:AccessObjectStatementTypeCheck a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:AccessObjectType ;
+    access:values access-individual:ObjectPropertyStatementValueSet ;
+    access:values access-individual:DataPropertyStatementValueSet ;
+    access:values access-individual:FauxObjectPropertyStatementValueSet ;
+    access:values access-individual:FauxDataPropertyStatementValueSet ;
+    .
+
+:OperationCheck a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:Operation ;
+    access:values access-individual:AddOperationValueSet ;
+    access:values access-individual:DropOperationValueSet ;
+    access:values access-individual:EditOperationValueSet ;
+    .
+
+:SubjectRoleCheck a access:Check ;
+    access:useOperator access-individual:Equals ;
+    access:hasTypeToCheck access-individual:SubjectRole ;
+    access:values access-individual:SelfEditorRoleValueSet .
+
+:StatementPredicateCheck a access:Check ;
+    access:useOperator access-individual:OneOf ;
+    access:hasTypeToCheck access-individual:StatementPredicateUri ;
+    access:values :SelfEditorAddObjectPropertyValueSet ;
+    access:values :SelfEditorAddDataPropertyValueSet ;
+    access:values :SelfEditorAddFauxObjectPropertyValueSet ;
+    access:values :SelfEditorAddFauxDataPropertyValueSet ;
+
+    access:values :SelfEditorEditObjectPropertyValueSet ;
+    access:values :SelfEditorEditDataPropertyValueSet ;
+    access:values :SelfEditorEditFauxObjectPropertyValueSet ;
+    access:values :SelfEditorEditFauxDataPropertyValueSet ;
+
+    access:values :SelfEditorDropObjectPropertyValueSet ;
+    access:values :SelfEditorDropDataPropertyValueSet ;
+    access:values :SelfEditorDropFauxObjectPropertyValueSet ;
+    access:values :SelfEditorDropFauxDataPropertyValueSet ;
+    .
+
+:AccessObjectUriCheck a access:Check ;
+    access:useOperator access-individual:OneOf ;
+    access:hasTypeToCheck access-individual:AccessObjectUri ;
+    access:values :SelfEditorAddObjectPropertyValueSet ;
+    access:values :SelfEditorAddDataPropertyValueSet ;
+    access:values :SelfEditorAddFauxObjectPropertyValueSet ;
+    access:values :SelfEditorAddFauxDataPropertyValueSet ;
+
+    access:values :SelfEditorEditObjectPropertyValueSet ;
+    access:values :SelfEditorEditDataPropertyValueSet ;
+    access:values :SelfEditorEditFauxObjectPropertyValueSet ;
+    access:values :SelfEditorEditFauxDataPropertyValueSet ;
+
+    access:values :SelfEditorDropObjectPropertyValueSet ;
+    access:values :SelfEditorDropDataPropertyValueSet ;
+    access:values :SelfEditorDropFauxObjectPropertyValueSet ;
+    access:values :SelfEditorDropFauxDataPropertyValueSet ;
+    .
+
+:SelfEditorAddObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+:SelfEditorAddDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+:SelfEditorAddFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+:SelfEditorAddFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+
+:SelfEditorEditObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+:SelfEditorEditDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+:SelfEditorEditFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+:SelfEditorEditFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
+
+:SelfEditorDropObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:ObjectProperty .
+:SelfEditorDropDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:DataProperty .
+:SelfEditorDropFauxObjectPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxObjectProperty .
+:SelfEditorDropFauxDataPropertyValueSet a access:ValueSet ;
+    access:containsElementsOfType access-individual:FauxDataProperty .
diff --git a/home/src/main/resources/rdf/tbox/firsttime/vitro-access-control-ontology.n3 b/home/src/main/resources/rdf/tbox/firsttime/vitro-access-control-ontology.n3
new file mode 100644
index 0000000000..886a7bd068
--- /dev/null
+++ b/home/src/main/resources/rdf/tbox/firsttime/vitro-access-control-ontology.n3
@@ -0,0 +1,249 @@
+# $This file is distributed under the terms of the license in LICENSE$
+
+@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
+@prefix owl: <http://www.w3.org/2002/07/owl#> .
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+@prefix : <https://vivoweb.org/ontology/vitro-application/auth/vocabulary/> .
+
+### Ontology
+
+<https://vivoweb.org/ontology/vitro-application/auth/vocabulary> a owl:Ontology .
+
+### Classes
+
+:PolicyTemplate a owl:Class ;
+    rdfs:comment "Policy template to define rules that can be reused by data sets" ; 
+    rdfs:label "Policy template"@en-US .
+
+:Policy a owl:Class ;
+    rdfs:comment "Policy to define access rules" ; 
+    rdfs:label "Policy"@en-US .
+
+:DataSet a owl:Class ;
+    rdfs:comment "Data set to load policy instance with values defined in it. Contains value sets used by checks. While loading policy from data set value containers not specified in current data set are ignored (not used by checks)." ;
+    rdfs:label "Dataset"@en-US .
+
+:ValueSet a owl:Class ;
+    rdfs:comment "Container for values" ; 
+    rdfs:label "Value set"@en-US .
+
+:Rule a owl:Class ;
+    rdfs:comment "Contains checks to perform. If all checks match, rule returns decision.";
+    rdfs:label "Access rule"@en-US .
+
+:Check a owl:Class ;
+    rdfs:comment "Check to perform on attribute of request";
+    rdfs:label "Access rule check"@en-US .
+
+:Operator a owl:Class ;
+    rdfs:comment "Operator to use in check";
+    rdfs:label "Operator"@en-US .
+
+:AttributeValuePattern a owl:Class ;
+    rdfs:comment "Resource represents single value, usually specified as literal with :id ";
+    rdfs:label "Value"@en-US .
+
+:Operation a owl:Class ;
+    rdfs:subClassOf :AttributeValuePattern ;
+    rdfs:comment "Access operation";
+    rdfs:label "Operation"@en-US .
+
+:ObjectType a owl:Class ;
+    rdfs:subClassOf :AttributeValuePattern ;
+    rdfs:comment "Type of access object";
+    rdfs:label "Object type"@en-US .
+
+:AttributeUriValue a owl:Class ;
+    rdfs:subClassOf :AttributeValuePattern ;
+    rdfs:comment "Represents attribute uri value";
+    rdfs:label "Attribute uri value"@en-US .
+
+:SubjectRoleUri a owl:Class ;
+    rdfs:subClassOf :AttributeUriValue ;
+    rdfs:comment "Represents role uri";
+    rdfs:label "subject role uri"@en-US .
+
+:SparqlSelectValuesQuery a owl:Class ;
+    rdfs:subClassOf :AttributeValuePattern ;
+    rdfs:comment "Represents SPARQL Select query to get attribute values";
+    rdfs:label "Attribute uri value"@en-US .
+
+:AttributeValuePrefix a owl:Class ;
+    rdfs:subClassOf :AttributeValuePattern ;
+    rdfs:comment "Represents attribute value substring pattern";
+    rdfs:label "Attribute value prefix"@en-US .
+
+:SubjectType a owl:Class ;
+    rdfs:subClassOf :AttributeValuePattern ;
+    rdfs:comment "Type of subject(user, non-personal entity) requested access";
+    rdfs:label "Subject type"@en-US .
+
+:AttributeType a owl:Class ;
+    rdfs:comment "Attribute type to check";
+    rdfs:label "Attribute type"@en-US .
+
+:Decision a owl:Class ;
+    rdfs:comment "Decision to return in case all checks in a rule match";
+    rdfs:label "Decision"@en-US .
+
+:DataSetTemplate a owl:Class ;
+    rdfs:comment "Data set template to create new data set: specify new value sets and add them into checks, create new data set key. Data set template should contain it's own key to be found and used. For example on new role creation new data sets for new role should be created, template key for that example would be access-individual:SubjectRole";
+    rdfs:label "Data set template"@en-US .
+
+:DataSetTemplateKey a owl:Class ;
+    rdfs:comment "Key to find template";
+    rdfs:label "Data set template key"@en-US .
+
+:DataSetKeyTemplate a owl:Class ;
+    rdfs:comment "Template of data set key to find data set";
+    rdfs:label "Data set key template"@en-US .
+
+:ValueSetTemplate a owl:Class ;
+    rdfs:comment "Template to create new value set from";
+    rdfs:label "Value set template"@en-US .
+    
+:Configuration a owl:Class ;
+    rdfs:comment "Access control configuration";
+    rdfs:label "Configuration"@en-US .
+
+### Data properties
+
+:id a owl:DatatypeProperty ,
+    owl:FunctionalProperty ;
+    rdfs:comment "Set string identifier";
+    rdfs:range xsd:string ;
+    rdfs:domain [ a owl:Class ; owl:unionOf  ( :Operator :Decision :AttributeValuePattern :AttributeType ) ] ;
+    rdfs:label "id"@en-US .
+
+:priority a owl:DatatypeProperty ,
+    owl:FunctionalProperty ;
+    rdfs:comment "Set priority to :Policy, :PolicyTemplate or :DataSet";
+    rdfs:range xsd:integer ;
+    rdfs:domain [ a owl:Class ; owl:unionOf  ( :Policy :PolicyTemplate :DataSet ) ] ;
+    rdfs:label "priority"@en-US . 
+    
+:version a owl:DatatypeProperty ,
+    owl:FunctionalProperty ;
+    rdfs:comment "Access control configuration version";
+    rdfs:range xsd:integer ;
+    rdfs:domain :Configuration ;
+    rdfs:label "version"@en-US .
+
+### Object properties
+
+:hasRelatedValueSet a owl:ObjectProperty ;
+    rdfs:comment "Specifies value sets related to :DataSetTemplate or :DataSet.";
+    rdfs:label "has related value set"@en-US ;
+    rdfs:domain [ a owl:Class ; owl:unionOf  ( :DataSetTemplate :DataSet ) ] ;
+    rdfs:range :ValueSet .
+
+:value a owl:ObjectProperty ;
+    rdfs:comment "Assign one value (any URI or :AttributeValuePattern with :id to define literal value)";
+    rdfs:label "value"@en-US ;
+    rdfs:domain [ a owl:Class ; owl:unionOf  ( :ValueSetTemplate :ValueSet :Check ) ] ;
+    rdfs:range :AttributeValuePattern .
+
+:useOperator a owl:ObjectProperty ;
+    rdfs:comment "Use operator in :Check";
+    rdfs:label "use operator"@en-US ;
+    rdfs:domain :Check ;
+    rdfs:range :Operator .
+
+:hasTypeToCheck a owl:ObjectProperty ,
+    owl:FunctionalProperty ;
+    rdfs:comment "Set attribute type that should be checked";
+    rdfs:label "has type to check"@en-US ;
+    rdfs:domain :Check ;
+    rdfs:range :AttributeType .
+
+:containsElementsOfType a owl:ObjectProperty ,
+    owl:FunctionalProperty ;
+    rdfs:comment "Type of values for new value set";
+    rdfs:label "set type template"@en-US ;
+    rdfs:range [ a owl:Class ; owl:unionOf  ( :AttributeType :AttributeValuePattern ) ] ;
+    rdfs:domain [ a owl:Class ; owl:unionOf ( :ValueSet :ValueSetTemplate ) ] .
+
+:values a owl:ObjectProperty ;
+    rdfs:comment "Multiple values";
+    rdfs:label "values"@en-US ;
+    rdfs:domain :Check ;
+    rdfs:range :ValueSet .
+
+:relatedCheck a owl:ObjectProperty ;
+    rdfs:comment "Specifies :Check into which new ValueSet should be added";
+    rdfs:label "related check"@en-US ;
+    rdfs:domain :ValueSetTemplate ;
+    rdfs:range :Check .
+
+:hasDataSetTemplateKey a owl:ObjectProperty, 
+    owl:FunctionalProperty ;
+    rdfs:comment "Specify data set template key";
+    rdfs:label "has data set template key"@en-US ;
+    rdfs:domain :DataSetTemplate ;
+    rdfs:range :DataSetTemplateKey .
+
+:dataSetValueTemplate a owl:ObjectProperty ;
+    rdfs:comment "Contains value set template";
+    rdfs:label "data set value template"@en-US ;
+    rdfs:domain :DataSetTemplate ;
+    rdfs:range :ValueSetTemplate .
+
+:hasTemplateKeyComponent a owl:ObjectProperty ;
+    rdfs:comment "Specifies ttribute type to use as a template key";
+    rdfs:label "has template key component"@en-US ;
+    rdfs:domain :DataSetTemplateKey ;
+    rdfs:range :AttributeType .
+
+:requiresCheck a owl:ObjectProperty ;
+    rdfs:comment "Requires check";
+    rdfs:label "requires check"@en-US ;
+    rdfs:domain :Rule ;
+    rdfs:range :Check .
+
+:hasDecision a owl:ObjectProperty ;
+    rdfs:comment "Decision to return in case of all checks match";
+    rdfs:label "has decision"@en-US ;
+    rdfs:domain :Rule ;
+    rdfs:range :Decision .    
+
+:hasDataSet a owl:ObjectProperty ;
+    rdfs:comment "Relates policy template to data set";
+    rdfs:label "has data set"@en-US ;
+    rdfs:domain :PolicyTemplate ;
+    rdfs:range :DataSet .
+
+:hasRule a owl:ObjectProperty ;
+    rdfs:comment "Assgins a rule to a policy or policy template";
+    rdfs:label "has rule"@en-US ;
+    rdfs:domain [ a owl:Class ; owl:unionOf  ( :Policy :PolicyTemplate ) ] ;
+    rdfs:range :Rule .
+
+:hasDataSetKey a owl:ObjectProperty ;
+    rdfs:comment "Assign data set template to policy data set";
+    rdfs:label "data set key"@en-US ;
+    rdfs:domain :DataSet ;
+    rdfs:range :DataSetKey .
+
+:hasDataSetKeyTemplate a owl:ObjectProperty ;
+    rdfs:comment "Assign data set key template to data set template";
+    rdfs:label "data set key template"@en-US ;
+    rdfs:domain :DataSetTemplate ;
+    rdfs:range :DataSetKeyTemplate .
+
+:hasDataSetTemplate a owl:ObjectProperty ;
+    rdfs:comment "Relates policy template to data set template";
+    rdfs:label "has data set template"@en-US ;
+    rdfs:domain :PolicyTemplate ;
+    rdfs:range :DataSetTemplate .
+
+:hasKeyComponentTemplate a owl:ObjectProperty ;
+    rdfs:comment "Specify component of combined key";
+    rdfs:domain :DataSetKeyTemplate ;
+    rdfs:range :AttributeType ;
+    rdfs:label "has key component template"@en-US .
+
+:hasKeyComponent a owl:ObjectProperty ;
+    rdfs:comment "Specify component of combined key";
+    rdfs:domain [ a owl:Class ; owl:unionOf ( :DataSetKeyTemplate :DataSetKey ) ] ;
+    rdfs:range :AttributeValuePattern ;
+    rdfs:label "has key component"@en-US .
diff --git a/webapp/src/main/webapp/WEB-INF/resources/startup_listeners.txt b/webapp/src/main/webapp/WEB-INF/resources/startup_listeners.txt
index a68ba860c0..3938adcb43 100644
--- a/webapp/src/main/webapp/WEB-INF/resources/startup_listeners.txt
+++ b/webapp/src/main/webapp/WEB-INF/resources/startup_listeners.txt
@@ -35,17 +35,13 @@ edu.cornell.mannlib.vitro.webapp.servlet.setup.SimpleReasonerSetup
 # Must run after JenaDataSourceSetup
 edu.cornell.mannlib.vitro.webapp.servlet.setup.ThemeInfoSetup
 
-edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionRegistry$Setup
-
 edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionSetsSmokeTest
 
-edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionBean$Setup
-
 edu.cornell.mannlib.vitro.webapp.auth.policy.setup.CommonPolicyFamilySetup
 
-edu.cornell.mannlib.vitro.webapp.auth.policy.RootUserPolicy$Setup
+edu.cornell.mannlib.vitro.webapp.migration.auth.AuthMigrator
 
-edu.cornell.mannlib.vitro.webapp.auth.policy.RestrictHomeMenuItemEditingPolicy$Setup
+edu.cornell.mannlib.vitro.webapp.auth.RootUserSetup
 
 edu.cornell.mannlib.vitro.webapp.services.shortview.ShortViewServiceSetup
 
diff --git a/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp b/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp
index 0e5cda5bcb..6b35856959 100644
--- a/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp
+++ b/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp
@@ -1,7 +1,11 @@
 <%-- $This file is distributed under the terms of the license in LICENSE$ --%>
 
 <%@ taglib prefix="form" uri="http://vitro.mannlib.cornell.edu/edit/tags" %>
-<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
+<%@ taglib prefix="c"  uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
+
+<jsp:directive.page import="edu.cornell.mannlib.vedit.controller.BaseEditController"/>
+
 <%-- colspan set to 4 in DatapropRetryController.java --%>
 <tr class="editformcell">
 	<td valign="top" colspan="2">
@@ -122,29 +126,32 @@
 	</td>
 </tr>
 <tr><td colspan="5"><hr class="formDivider"/></td></tr>
-<tr class="editformcell">
-	<td valign="top" colspan="2">
-		<b>Display level</b><br/>
-		<select name="HiddenFromDisplayBelowRoleLevelUsingRoleUri">
-		    <form:option name="HiddenFromDisplayBelowRoleLevelUsingRoleUri"/>
-		</select>
-	</td>
-	<td valign="top" colspan="2">
-		<b>Update level</b><br />
-		<select name="ProhibitedFromUpdateBelowRoleLevelUsingRoleUri">
-		    <form:option name="ProhibitedFromUpdateBelowRoleLevelUsingRoleUri"/>
-		</select>
-	</td>
-</tr>
-<tr class="editformcell">
-	<td valign="top" colspan="2">
-		<b>Publish level</b><br/>
-		<select name="HiddenFromPublishBelowRoleLevelUsingRoleUri">
-		    <form:option name="HiddenFromPublishBelowRoleLevelUsingRoleUri"/>
-		</select>
-	</td>
-</tr>
-<tr><td colspan="5"><hr class="formDivider"/></td></tr>
+<!-- Permissions -->
+<c:if test="${!empty operationsToRoles}">
+	<input id="_permissions" type="hidden" name="_permissions" value="enabled" />
+	<input id="${BaseEditController.ENTITY_URI_ATTRIBUTE_NAME}" type="hidden" name="${BaseEditController.ENTITY_URI_ATTRIBUTE_NAME}" value="${_permissionsEntityURI}" />
+	<input id="${BaseEditController.ENTITY_TYPE_ATTRIBUTE_NAME}" type="hidden" name="${BaseEditController.ENTITY_TYPE_ATTRIBUTE_NAME}" value="DATA_PROPERTY" />
+	<c:forEach var="entry" items="${operationsToRoles}">
+		<tr class="editformcell">
+			<td valign="top" colspan="5"><b>${entry.key}</b> permissions for this property<br /> 
+				<c:set var="operationLowercase" value="${fn:toLowerCase(entry.key)}" />
+				<c:forEach var="role" items="${entry.value}">
+					<input id="${operationLowercase}${role.label}"
+						type="checkbox" name="${operationLowercase}Roles"
+						value="${role.uri}" ${role.granted?'checked':''}
+						${role.enabled?'':'disabled'} />
+					<label class="inline" for="${operationLowercase}${role.label}">${role.label}</label>
+				</c:forEach>
+			</td>
+		</tr>
+		<tr>
+			<td colspan="5">
+				<hr class="formDivider" />
+			</td>
+		</tr>
+	</c:forEach>
+</c:if>
+<!-- Permissions End -->
 <tr class="editformcell">
 	<td valign="top" colspan="2">
 		<b>Display tier</b> within property group<br/>
diff --git a/webapp/src/main/webapp/templates/edit/specific/fauxProperty_retry.jsp b/webapp/src/main/webapp/templates/edit/specific/fauxProperty_retry.jsp
index beeae3259f..577d30ea5c 100644
--- a/webapp/src/main/webapp/templates/edit/specific/fauxProperty_retry.jsp
+++ b/webapp/src/main/webapp/templates/edit/specific/fauxProperty_retry.jsp
@@ -1,7 +1,10 @@
 <%-- $This file is distributed under the terms of the license in LICENSE$ --%>
 
 <%@ taglib prefix="form" uri="http://vitro.mannlib.cornell.edu/edit/tags" %>
-<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
+<%@ taglib prefix="c"  uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
+
+<jsp:directive.page import="edu.cornell.mannlib.vedit.controller.BaseEditController"/>
 
 <tr class="editformcell">
     <td valign="top" colspan="2">
@@ -59,28 +62,32 @@
 
 <tr><td colspan="5"><hr class="formDivider"/></td></tr>
 
-<tr class="editformcell">
-    <td valign="top" colspan="2">
-        <b>Display level</b><br />
-        <select name="HiddenFromDisplayBelowRoleLevelUsingRoleUri">
-            <form:option name="HiddenFromDisplayBelowRoleLevelUsingRoleUri"/>
-        </select>
-    </td>
-    <td valign="top" colspan="1">
-        <b>Update level</b><br/>
-        <select name="ProhibitedFromUpdateBelowRoleLevelUsingRoleUri">
-            <form:option name="ProhibitedFromUpdateBelowRoleLevelUsingRoleUri"/>
-        </select>
-    </td>
-    <td valign="top" colspan="2">
-        <b>Publish level</b><br />
-        <select name="HiddenFromPublishBelowRoleLevelUsingRoleUri">
-            <form:option name="HiddenFromPublishBelowRoleLevelUsingRoleUri"/>
-        </select>
-    </td>
-</tr>
-
-<tr><td colspan="5"><hr class="formDivider"/></td></tr>
+<!-- Permissions -->
+<c:if test="${!empty operationsToRoles}">
+    <input id="_permissions" type="hidden" name="_permissions" value="enabled" />
+    <input id="${BaseEditController.ENTITY_URI_ATTRIBUTE_NAME}" type="hidden" name="${BaseEditController.ENTITY_URI_ATTRIBUTE_NAME}" value="${_permissionsEntityURI}" />
+    <input id="${BaseEditController.ENTITY_TYPE_ATTRIBUTE_NAME}" type="hidden" name="${BaseEditController.ENTITY_TYPE_ATTRIBUTE_NAME}" value="${_faux_property_type}" />
+	<c:forEach var="entry" items="${operationsToRoles}">
+		<tr class="editformcell">
+			<td valign="top" colspan="5"><b>${entry.key}</b> permissions for this property<br /> 
+				<c:set var="operationLowercase" value="${fn:toLowerCase(entry.key)}" />
+				<c:forEach var="role" items="${entry.value}">
+					<input id="${operationLowercase}${role.label}"
+						type="checkbox" name="${operationLowercase}Roles"
+						value="${role.uri}" ${role.granted?'checked':''}
+						${role.enabled?'':'disabled'} />
+					<label class="inline" for="${operationLowercase}${role.label}">${role.label}</label>
+				</c:forEach>
+			</td>
+		</tr>
+		<tr>
+			<td colspan="5">
+				<hr class="formDivider" />
+			</td>
+		</tr>
+	</c:forEach>
+</c:if>
+<!-- Permissions End -->
 
 <tr class="editformcell">
     <td valign="top" colspan="1">
diff --git a/webapp/src/main/webapp/templates/edit/specific/property_retry.jsp b/webapp/src/main/webapp/templates/edit/specific/property_retry.jsp
index 5cb3682d04..00ad410eb9 100644
--- a/webapp/src/main/webapp/templates/edit/specific/property_retry.jsp
+++ b/webapp/src/main/webapp/templates/edit/specific/property_retry.jsp
@@ -1,7 +1,10 @@
 <%-- $This file is distributed under the terms of the license in LICENSE$ --%>
 
 <%@ taglib prefix="form" uri="http://vitro.mannlib.cornell.edu/edit/tags" %>
-<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
+<%@ taglib prefix="c"  uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
+
+<jsp:directive.page import="edu.cornell.mannlib.vedit.controller.BaseEditController"/>
 
 <%-- colspan set to 6 in PropertyRetryController.java --%>
 <tr class="editformcell">
@@ -186,29 +189,32 @@
     </td>
 </tr>
 <tr><td colspan="5"><hr class="formDivider"/></td></tr>
-<tr class="editformcell">
-    <td valign="top" colspan="2">
-        <b>Display level</b><br />
-        <select name="HiddenFromDisplayBelowRoleLevelUsingRoleUri">
-            <form:option name="HiddenFromDisplayBelowRoleLevelUsingRoleUri"/>
-        </select>
-    </td>
-    <td valign="top" colspan="2">
-        <b>Update level</b><br/>
-        <select name="ProhibitedFromUpdateBelowRoleLevelUsingRoleUri">
-            <form:option name="ProhibitedFromUpdateBelowRoleLevelUsingRoleUri"/>
-        </select>
-    </td>
-</tr>
-<tr class="editformcell">
-    <td valign="top" colspan="2">
-        <b>Publish level</b><br />
-        <select name="HiddenFromPublishBelowRoleLevelUsingRoleUri">
-            <form:option name="HiddenFromPublishBelowRoleLevelUsingRoleUri"/>
-        </select>
-    </td>
-</tr>
-<tr><td colspan="5"><hr class="formDivider"/></td></tr>
+<!-- Permissions -->
+<c:if test="${!empty operationsToRoles}">
+    <input id="_permissions" type="hidden" name="_permissions" value="enabled" />
+    <input id="${BaseEditController.ENTITY_URI_ATTRIBUTE_NAME}" type="hidden" name="${BaseEditController.ENTITY_URI_ATTRIBUTE_NAME}" value="${_permissionsEntityURI}" />
+    <input id="${BaseEditController.ENTITY_TYPE_ATTRIBUTE_NAME}" type="hidden" name="${BaseEditController.ENTITY_TYPE_ATTRIBUTE_NAME}" value="OBJECT_PROPERTY" />
+	<c:forEach var="entry" items="${operationsToRoles}">
+		<tr class="editformcell">
+			<td valign="top" colspan="5"><b>${entry.key}</b> permissions for this property<br /> 
+				<c:set var="operationLowercase" value="${fn:toLowerCase(entry.key)}" />
+				<c:forEach var="role" items="${entry.value}">
+					<input id="${operationLowercase}${role.label}"
+						type="checkbox" name="${operationLowercase}Roles"
+						value="${role.uri}" ${role.granted?'checked':''}
+						${role.enabled?'':'disabled'} />
+					<label class="inline" for="${operationLowercase}${role.label}">${role.label}</label>
+				</c:forEach>
+			</td>
+		</tr>
+		<tr>
+			<td colspan="5">
+				<hr class="formDivider" />
+			</td>
+		</tr>
+	</c:forEach>
+</c:if>
+<!-- Permissions End -->
 <tr class="editformcell">
     <td valign="top" colspan="1">
         <b>Display tier</b> for this property<br/>
diff --git a/webapp/src/main/webapp/templates/edit/specific/vclass_retry.jsp b/webapp/src/main/webapp/templates/edit/specific/vclass_retry.jsp
index f7f6dd56a1..864879e82c 100644
--- a/webapp/src/main/webapp/templates/edit/specific/vclass_retry.jsp
+++ b/webapp/src/main/webapp/templates/edit/specific/vclass_retry.jsp
@@ -2,7 +2,11 @@
 
 <!-- $This file is distributed under the terms of the license in LICENSE$ -->
 
-<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:c="http://java.sun.com/jsp/jstl/core" xmlns:form="http://vitro.mannlib.cornell.edu/edit/tags" version="2.0">
+<%@ taglib prefix="form" uri="http://vitro.mannlib.cornell.edu/edit/tags" %>
+<%@ taglib prefix="c"  uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
+
+<jsp:directive.page import="edu.cornell.mannlib.vedit.controller.BaseEditController"/>
 
 <tr class="editformcell">
 	<td valign="bottom" colspan="2">
@@ -83,29 +87,32 @@
 	</td>
 </tr>
 <tr><td colspan="4"><hr class="formDivider"/></td></tr>
-<tr class="editformcell">
-    <td valign="bottom" colspan="1">
-        <b>Display level</b><br/>
-        <select name="HiddenFromDisplayBelowRoleLevelUsingRoleUri">
-            <form:option name="HiddenFromDisplayBelowRoleLevelUsingRoleUri"/>
-        </select>
-    </td>
-    <td valign="bottom" colspan="1">
-        <b>Update level</b><br/>
-        <select name="ProhibitedFromUpdateBelowRoleLevelUsingRoleUri">
-            <form:option name="ProhibitedFromUpdateBelowRoleLevelUsingRoleUri"/>
-        </select>
-    </td>
-</tr>
-<tr class="editformcell">
-    <td valign="bottom" colspan="1">
-        <b>Publish level</b><br/>
-        <select name="HiddenFromPublishBelowRoleLevelUsingRoleUri">
-            <form:option name="HiddenFromPublishBelowRoleLevelUsingRoleUri"/>
-        </select>
-    </td>
-</tr>
-<tr><td colspan="4"><hr class="formDivider"/></td></tr>
+<!-- Permissions -->
+<c:if test="${!empty operationsToRoles}">
+    <input id="_permissions" type="hidden" name="_permissions" value="enabled" />
+    <input id="${BaseEditController.ENTITY_URI_ATTRIBUTE_NAME}" type="hidden" name="${BaseEditController.ENTITY_URI_ATTRIBUTE_NAME}" value="${_permissionsEntityURI}" />
+    <input id="${BaseEditController.ENTITY_TYPE_ATTRIBUTE_NAME}" type="hidden" name="${BaseEditController.ENTITY_TYPE_ATTRIBUTE_NAME}" value="CLASS" />
+	<c:forEach var="entry" items="${operationsToRoles}">
+		<tr class="editformcell">
+			<td valign="top" colspan="5"><b>${entry.key}</b> permissions for this property<br /> 
+				<c:set var="operationLowercase" value="${fn:toLowerCase(entry.key)}" />
+				<c:forEach var="role" items="${entry.value}">
+					<input id="${operationLowercase}${role.label}"
+						type="checkbox" name="${operationLowercase}Roles"
+						value="${role.uri}" ${role.granted?'checked':''}
+						${role.enabled?'':'disabled'} />
+					<label class="inline" for="${operationLowercase}${role.label}">${role.label}</label>
+				</c:forEach>
+			</td>
+		</tr>
+		<tr>
+			<td colspan="5">
+				<hr class="formDivider" />
+			</td>
+		</tr>
+	</c:forEach>
+</c:if>
+<!-- Permissions End -->
 <tr class="editformcell">
 	<!--td valign="top" colspan="1">
 		<b>Display Limit</b><br/>
@@ -133,4 +140,3 @@
 	</td>
 </tr>
 <tr><td colspan="4"><hr class="formDivider"/></td></tr>
-</jsp:root>
diff --git a/webapp/src/main/webapp/templates/freemarker/lib/lib-properties.ftl b/webapp/src/main/webapp/templates/freemarker/lib/lib-properties.ftl
index 2d5872979f..cf4699ecf4 100644
--- a/webapp/src/main/webapp/templates/freemarker/lib/lib-properties.ftl
+++ b/webapp/src/main/webapp/templates/freemarker/lib/lib-properties.ftl
@@ -250,9 +250,6 @@ name will be used as the label. -->
             <a class="propertyLink" href="${verboseDisplay.propertyEditUrl}" title="${i18n().name}">${verboseDisplay.localName}</a>
             (<span>${property.type?lower_case}</span> property);
             order in group: <span>${verboseDisplay.displayRank}</span>;
-            display level: <span>${verboseDisplay.displayLevel}</span>;
-            update level: <span>${verboseDisplay.updateLevel}</span>;
-            publish level: <span>${verboseDisplay.publishLevel}</span>
         </section>
     </#if>
 </#macro>