I also want to add that most of the people in the community that pays attention to Common Criteria type security uses the term "principal" to refer to users. They instead tend to use the term "subject", and in this context they generally do so in reference to a program.
Butler Lampson and a bunch of other people have done various logics for authorization and delegation that use exactly this model.
Jonathan