Changing permission on an object
There are several ways to change the effective permissions on a controlled object:
Change its owning user or group (if effective ACL uses special principal). If the effective ACL of the rolemap controlling an object uses the Owner-User or Owner-Group principal, you can change the effective permission on the object by changing the user or group that owns the object. The new owning user/group will be consulted to determine if an account accessing the object should be granted permissions from the access control entry for Owner-User or Owner-Group.
Change the binding of the object to a different rolemap. This method changes permissions only for the object itself. It does not modify permissions for other objects using the same rolemap or policy. One may need to create a suitable new rolemap providing the desired effective ACL before changing the object's rolemap binding.
Change its rolemap's mappings. Changing a rolemap's mappings can change the access on any object of any metatype controlled by the same rolemap, depending on which metatype ACLs in the rolemap's policy have role access control entries related to the change. You can add or remove concrete principals to or from fulfilling a role. For example, if you change a mapping in a rolemap, and the change alters the effective ACL for elements, all the elements protected by the rolemap have will their protection changed.
Change its rolemap's policy's metatype-specific ACL. Changing a policy's metatype-specific ACL will change the effective access for all objects of the same metatype controlled by any rolemap implementing that policy. This change has the largest scope of changed protections. You can add or remove a principal from the metatype's ACL, or change permissions granted to an existing principal. For example, if you change the element ACL in a policy, all the elements protected by all the rolemaps implementing to that policy will have their protection changed.