negating target matches

[seth proctor <Seth.Proctor@Sun.COM>]

In a recent conversation someone asked my why there aren't "not-equal" 
functions to go with all the "equal" functions. I naively responded that 
you can always use the "not" function, but he explained that he wanted 
this for Target Matching, e.g. "match any subject who doesn't have this 
name" or "match any access not for this server."

It got me thinking about Targets...we have some of the obvious boolean 
operations covered (we can say "and" and "or"), but we don't have 
negation. I'm loathe to bring this up when we're already so far along on 
2.0, but I'm curious what other people think. What's your opinon about 
having a flag (or something) that negates a TargetMatch?

In a related vein, I'm somewhat surprised that new functions haven't 
been proposed for 2.0. Does anyone have any new functions that they 
think would be useful? In the afore-mentioned conversation I was asked 
about some of the standard string functions like concatination, 
substring, etc. (thinking back, these are functions that I've also 
wanted to use in policies). I've only been thinking about this for a 
short time, but I think they would be useful...anyway, I wanted to get 
some opinions on that too.

I'll get back to my real work now :)


seth