While groups are generally helpful for the definition of authorization policies,
their use in distributed systems is not straightforward. This paper describes a
design for authorization in distributed systems that treats groups as formal
languages. The design supports forms of delegation and negative clauses in
authorization policies. It also considers the wish for privacy and efficiency in
group-membership checks, and the possibility that group definitions may not all be
available and may contain cycles.