Any Subject, Any Resource, Any Action, Any Environment (fwd from Polar)

[Anne Anderson <Anne.Anderson@Sun.COM>]

I think I may have misunderstood the approach before, or just didn't read
it carefully enough.  So, if I am reading the right document, the change
on the target is that, NOW, the sub-elements of <Target> are OPTIONAL.
Whereas, previously they had been REQUIRED.  Correct? (This diffs I see do
not seem reflect this change).

<Target> has always been a conjunctive sequence of its subordinate
elements.  Now, due to the optionality of it subordinates, you may now end
up with an empty conjunctive sequence, which is commonly said to be
"true", and therefore an "empty" target evaluates to "Match".

If I've got the intent wrong on any of the following please let me know:

So, now, an empty target:

<Target>
</Target>

has the same meaning as:

<Target>
  <AnySubject/><AnyResource/><AnyAction/><AnyEnvironment/>
</Target>

Correct? Therefore, this approach also means that you may have

<Target>
   <Resources><Resource>....</Resource></Resources>
</Target>

with the resulting applicability predicate concerned with just the listed
resources.

This approach is logically consistent, as long as we can agree that

<Target>
  <AnySubjects>
  <Resources><Resource>....</Resource></Resources>
  <AnyAction>
  <AnyEnvironment>
</Target>

has the same meaning as the <Target> immediately above, and that

<Target>
  <Subjects>
  </Subjects>
  <AnyResource/>
  <AnyAction/>
  <AnyEvironment/>
</Target>

(or any other target with an empty disjunctive subordinate) always
evaluates to "No-Match".

I don't know if this is an issue, but we should maintain <AnySubject>, etc
for backward compatibility reasons.

Cheers,
-Polar

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692