Code with a certain level of trust may want to execute at times with a reduces set of effective permissions. For example a trusted application may have a “test mode” that can be selected for testing that ensures no live data is going to be modified accidentally. The security system can be used to ensure no file operations are possible by use of a deny of write permission for all files (subject to possible assert).
Similarly, to execute with a specific set of permissions and no more, use a permit-only override. Under the override, only the specified permissions will be allowed (again, subject to possible assert).