[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] Function Completeness
On Wed, 18 Sep 2002, Daniel Engovatov wrote: > >Do you really think it is not a good idea to cover that hole? > > This "hole", if any, is introduced by this new "higher-order" functions > additions. >The MatchId specifies the boolean binary matching predicate you apply >between the explicit value and values returned by the designator. The >Match specifies the generic way in which you combine the results of each >comparison, which is "at least one must be true". >This semantics has been around longer than the higher-order function >specification. >Cheers, >-Polar Yes, but the "boolean binary matching predicate" was restrictd to the equality operation, which is symmetric. While the negation of Match was not provided, I suggest that it should not be supported on purpose: asking your rule source "find all the rules that are not for "Bob"" is less effective then writing a single deny rule for "Bob", while ogically the same. My point is, since all the authorization logic can be supported in condition, (and that's important - I would be all for expanding MAtch if it provided ANY additional, practical functionality) MatchId should, by design, support effective indexing. Arbitrary binary operations and search by negation is NOT the way to achieve that.. Is not it? Regards, Daniel.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC