The usual way to do that is apply the rule at the time the status changes (a new cs student is created as a user, say, or an existing student switches to cs) and then grant or revoke permissions on objects, or add/remove user to/from group which has the permission.
A problem I see with -just- having a rule, is then there will be more than one place to look for permissions (look at the permissions table, AND sequence thru each object, getting its attributes, look at each rule and see if it applies). The complexity would be close to O(n^3) (where n enumerates acs_objects or database rows). This doesn't seem scalable to me; besides, I just want to check the permission and be done with it.
So, if you're going to have a rule-based system, ok, but apply the rule and set permissions at the time when the user's status changes.
