[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] policy subcommittee meeting on Dec. 10 - minutes
Hal writes: > When I learned logic, the following would evaluate to > false for "Joe", therefore access would be denied. > > (group = "employee") and (not(user = "Joe")) > > Suppose I combine that with another rule using AND, for example: > > ((group = "employee") and (not(user = "Joe"))) and > (time is between 9:00 - 17:00) > > This still evaluates to false for Joe, so his access is > still denied. JSE: Of course, let's also remember that in a practical implementation, this sort of exclusion is likely to be done elsewhere --- typically in the role assigments and the binding of policies to those roles. If the administrators need finer granularity than "employee," they are likely to create roles (and corresponding resource classifications) that properly handle the case presented (because this week they are blocking Joe, but next week it is Oly and Lena). So instead of crafting predicates as shown, they would create e.g. a "specialEmployee" role and include that in the policy expressions. John
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC