- stricter rule checking when multiple roles have permissions on same resource - tracking (prev: evaluation) is refactored to stand out less than previous solution - performance optimization on certain situations (earlier fn return)