Policies, sets of rules that govern permission to access resources, have long been used in computer security and online privacy management; however, the usability of authoring methods has received limited treatment from usability experts. With the rise in networked applications, distributed data storage, and pervasive computing, authoring comprehensive and accurate policies is increasingly important, and is increasingly performed by relatively novice and occasional users. Thus, the need for highly usable policy-authoring interfaces across a variety of policy domains is growing. This paper presents a definition of the security and privacy policy-authoring task in general and presents the results of a user study intended to discover some usability challenges that policy authoring presents. The user study employed SPARCLE, an enterprise privacy policy-authoring application. The usability challenges found include supporting object grouping, enforcing consistent terminology, making default policy rules clear, communicating and enforcing rule structure, and preventing rule conflicts. Implications for the design of SPARCLE and of user interfaces in other policy-authoring domains are discussed.