[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Negative Policies -- negative membership
Here is an idea for how to achieve the effect of negative policies, but
in a "clean" way: membership exceptions.
I looked at the policy proposal by Carlisle, which defines
(initiator,action,object) triplets. The idea is to turn it into quads
(initator,exceptions,action,object) with the following semantic: for
purposes of evaluation, if the entity making the request is identified
by the initiator, but not by the exceptions, then look consider this
entry.
For example, to say "fred cant" you say "everyone {except fred} can"
I'll have to think about it a bit more, but it seems like it's worth
pursuing.
/r$
--
Zolera Systems, Securing web services (XML, SOAP, Signatures,
Encryption)
http://www.zolera.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC