With each principal is a list of groups that the principal is a member. These groups grant capabilities for the principal.
On each thing in the environment is an access control list, an ACL. The ACL is a property list of group and permission pairs. The principals in the group have the stated permissions that can be accomplished. These are granted by the authorization service.
If group membership is very dynamic, the groups take on roles. The membership of the group could be guided by a rule base.
The principals are granted access and privileges with a role-based authorization algorithm based on dynamic groups and access control lists.