From ALT Linux Wiki
control is a framework allowing to select one of several fixed configurations for tasks lending themselves to such a selection; it is used in ALT Linux and Owl GNU/*/Linux to manage SUID/SGID binaries in the first place.
Thus control cdrecord public and control cdrecord restricted commands will allow cdrecord use to all users or to cdwriter group members only, appropriately.
One can list all the facilities available along with their current state and allowed states by running control with no arguments.
control runs a corresponding /etc/control.d/facilities/ script to switch state. Implementation of particular facility switcher is up to its developer's fancy :)
E.g., cdrecord script changes permissions for cdrecord binary while cups script edits cupsd.conf regarding RunAsUser.
$ sudo control at restricted (public restricted atdaemon) crontab public (public restricted) fusermount restricted (public wheelonly restricted) gpasswd restricted (public wheelonly restricted) mount public (public wheelonly restricted) newgrp restricted (public wheelonly restricted) nfsmount restricted (public wheelonly restricted) pam_mktemp enabled (enabled disabled) passwd tcb (tcb traditional restricted) ping public (public netadmin restricted) ping6 restricted (public netadmin restricted) postfix local (local server filter) postqueue public (public mailadm restricted) sftp disabled (enabled disabled) su wheelonly (public wheel wheelonly restricted) sudo public (public wheelonly restricted) sudoers unknown (strict relaxed) system-auth local (local ldap) tcb_chkpwd tcb (traditional tcb restricted) write public (public restricted)