OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [xacml] Function Completeness


On Wed, 18 Sep 2002, Daniel Engovatov wrote:

> >Do you really think it is not a good idea to cover that hole?
>
> This "hole", if any, is introduced by this new "higher-order" functions
> additions.

>The MatchId specifies the boolean binary matching predicate you apply
>between the explicit value and values returned by the designator. The
>Match specifies the generic way in which you combine the results of each
>comparison, which is "at least one must be true".

>This semantics has been around longer than the higher-order function
>specification.

>Cheers,
>-Polar

Yes, but the "boolean binary matching predicate" was restrictd to the
equality operation, which is symmetric.

While the negation of Match was not provided, I suggest that it should not
be supported on purpose: asking your rule source "find all the rules that
are not for "Bob"" is less effective then writing a single deny rule for
"Bob", while ogically the same.

My point is, since all the authorization logic can be supported in
condition, (and that's important - I would be all for expanding MAtch if it
provided ANY additional, practical functionality) MatchId should, by design,
support effective indexing.  Arbitrary binary operations and search by
negation is NOT the way to achieve that..
Is not it?

Regards,
Daniel.




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC