RE: [xacml] Function Completeness

[Polar Humenn <polar@syr.edu>]

Daniel,

All I am saying is that if you *can* say integer-greater than in the
MatchId, and you *can't* say "integer-less", you have a hole in the things
that you can represent.

Do you really think it is not a good idea to cover that hole?

-Polar

On Wed, 18 Sep 2002, Daniel Engovatov wrote:

> >As I was saying, I am looking at functional completeness. I see a
> >deficiency in things you can say, which makes coverage of the language
> >incomplete.
>
> In the MatchId?  Why our languge should be "complete" in the MatchId?
>
> MatchId is not for making authorization decisions. It is for selecting
> applicable rules. - Different purpose - different semantics.
>
> In your example - if you do not want to permit a person over 250lb to jump
> a parachute, as its reserve is TSO'd to 250lb - you write it in condition.
>
> permit(anysubject, parachute, jump) if (integer-greater 250 subject:weight)
>
> You suggest:
> permit(subject with (not (integer-greater weigth 250)), parachute, jump) if
> true;
>
> It has no advantage over the previous expression - logically equivalent
> but a disadvantage of messing up simple target matching semantics.
>
> > Use cases may serve as a set of requirments to satisfy, but they do not
> > cover the entire space of use cases. You certainly do not produce every
> > use case you may envision.
>
> It does not mean that we have to put in every possible feature - just in
> case.
> For each feature there should be at least one requirement.
> Remember the KISS priciple, and an older one: "Pluralitas non est ponenda
> sine neccesitate"
>
>
> Regards,
> Daniel;
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>