Title: Grants and Denys On reflection, I am strongly opposed the the approach of having separate GRANT and DENY rules which somehow interact with each other. I favor the approach, as in 0.9, where there is a single boolean that determines whether or not to grant access, for the following reasons: 1. I disagree that the former approach is more expressive. I believe they are equal. 2. I believe the latter is more intutive, although this may depend to some extent on what you are used to. 3. As witness our discussion Monday, the former approach adds a lot of additional issues. In summary, since we are trying to produce one of two possible results, why start out with a scheme that produces one of four and then try to map it? (G-T D-T, G-F D-T, G-T D-F, G-F G-T) Hal