[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Grants and Denys
On reflection, I am strongly opposed the the approach of having separate GRANT and DENY rules which somehow interact with each other.
I favor the approach, as in 0.9, where there is a single boolean that determines whether or not to grant access, for the following reasons:
1. I disagree that the former approach is more expressive. I believe they are equal.
2. I believe the latter is more intutive, although this may depend to some extent on what you are used to.
3. As witness our discussion Monday, the former approach adds a lot of additional issues.
In summary, since we are trying to produce one of two possible results, why start out with a scheme that produces one of four and then try to map it?
(G-T D-T, G-F D-T, G-T D-F, G-F G-T)
Hal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC