Seems like caveats should be able to model this - store the user's permitted ports in context with the users' relationship to the machine, write a caveat that checks the stored ports against a query-time context-supplied (i.e. actually accessed) port