[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] Function Completeness
Daniel, >All I am saying is that if you *can* say integer-greater than in the >MatchId, and you *can't* say "integer-less", you have a hole in the things >that you can represent. I am saying that I do not think that there is any benefit in even saying "integer-greater" in MatchId. If I remember correctly on the Monday call Simon was ensuring me that we do not expand the semantics of MatchId to substitute the condition. Also matching by negation: mathching all "not equal", is MUCH harder to index or search - just time some database operations.. >Do you really think it is not a good idea to cover that hole? I do not see a hole. You can express any authorization decision you need without this functionality and while preserving simple matching semantics. A bigger hole would be, getting back to my parachute example, if you have different parachute sizes supporting different weights permit(anysubject, parachute, jump) if (integer-greater resource:parachute_TSO_limit subject:weight) Expressing this in MatchId - with a resource selector will require an additional rule for each parachute size. It should not be expressed in MatchId.. Regards. Daniel;
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC