[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Negative Policies -- negative membership
Here is an idea for how to achieve the effect of negative policies, but in a "clean" way: membership exceptions. I looked at the policy proposal by Carlisle, which defines (initiator,action,object) triplets. The idea is to turn it into quads (initator,exceptions,action,object) with the following semantic: for purposes of evaluation, if the entity making the request is identified by the initiator, but not by the exceptions, then look consider this entry. For example, to say "fred cant" you say "everyone {except fred} can" I'll have to think about it a bit more, but it seems like it's worth pursuing. /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC