Access Control Strategies for Life Cycle Managed Objects
Consider starting with more restrictive access control rules and then using activity- or life cycle-based rules to open up access. Also consider placing rules that grant wide access to information or access to information in its final state in a policy ACL, as access can easily be extended or restricted. A policy rule can change access to many objects, while changing access control permissions in ad hoc ACLs requires action on each individual object.
You can establish complementary access control rules for domains and the objects that are associated with them. Similarly, you can implement an access control strategy by balancing the use of policy and ad hoc ACLs.
Conversely, you can create a domain policy that provides for more open access to cabinets and their contents. In this case, you would define few (if any), access control rules within the life cycle.