Next to the helper domains, most functionality-driven policies also group privileges that can be assigned to domains. Such privileges could be to not only manage the common resources, but also to extend other domains with functional requirements as managed by the common policy.

All e-mail daemons need to be able to bind to the proper TCP ports, handle user mailboxes, and so on. By bundling these common privileges on the functional policy level, any evolution pertaining to the policy can be immediately granted to all domains inheriting privileges from the functional policy, rather than having to update each domain individually.