- Every branch must end in a double wildcard. (the system will add this implicitly), so this:is: a:test becomes this:is: a:test:**, this has to do with the tree otherwise not being able to store these implicit wildcards.
- More specific permissions will override more generic permissions. (non wildcards override wildcards)
- Temporary permissions will override permanent permissions.
- Permissions with less wildcards always override permissions with more wildcards.
- Double wildcard ("**") cannot have any children ever. It is ALWAYS a leaf node.