Security Interceptor Rules

So I am working on a security module for the coldbox module contest. I am also using this module at work on a new project so it works out great! Anyways, I had a scenario come up at work and I am sure others will have similar use cases once I put this module out. In my app I have the entire example app locked down to users with the role of admin or author. Once they are logged in though they can both do everything except… I don’t want authors messing with users or roles… I thought this approach would get me there but Its not working as expected.

solitary:security\..* \..* admin,author security/login false .* users\..*,roles\..* admin security/AccessDenied false

Is this approach possible or do I need to then implement a permissions based system? If so can anyone provide examples where multiple rules have worked for you so I can better understand how to use them?