rip out the notion of Resources
It makes things a _lot more_ complicated having to deal with resources and there's a much nicer way to deal with it: Punt it to the apps: It's much more natural for the application to have a notion about about what resources are "trusted" (and e.g. requires lesser privileges) and what resources aren't. Consider dial-up networking; here the privileged application that performs the dial-up operation consults a list (maintained by the system administrator) of allowed numbers to dial. If the unprivileged networking UI applet that requests a number to be dialed is on the list it uses the PolicyKit action 'nm-dialup-trusted-location', if it isn't then it uses the PolicyKit action 'nm-dialup-untrusted-location'.