Hal writes:
> When I learned logic, the following would evaluate to
> false for "Joe", therefore access would be denied.
>
> (group = "employee") and (not(user = "Joe"))
>
> Suppose I combine that with another rule using AND, for example:
>
> ((group = "employee") and (not(user = "Joe"))) and
> (time is between 9:00 - 17:00)
>
> This still evaluates to false for Joe, so his access is
> still denied.
JSE: Of course, let's also remember that in a practical implementation, this
sort of exclusion is likely to be done elsewhere --- typically in the role
assigments and the binding of policies to those roles. If the administrators
need finer granularity than "employee," they are likely to create roles (and
corresponding resource classifications) that properly handle the case presented
(because this week they are blocking Joe, but next week it is Oly and Lena).
So instead of crafting predicates as shown, they would create e.g. a
"specialEmployee" role and include that in the policy expressions.
John