Let me clarify a bit. The way I see the indexing working: Policy is analysed and, for example, rules requiring attribute "foo" to match are present. Rules are indexed by the value of "foo" required to match. Rules are indexed by each attribute required to match - so, yes it is expensive to have rules requiring many different attributes - but there is no way around this anyway. If a request, with an attribute "foo" comes in - rules are looked up - constant time per each attribute. It is known in advance that rules requiring "foo" are needed, so if it is not present, automatically, the whole table of rules indexed by "foo" are getting Indeterminate result in match - in constant time, that's what happens. What to do with all this rules - that's a different thing, but as long as we MAY have missing attributes in match (they are (non)received with a request), this can happen and it does scale well. So it does scale as long as it is an match that can be hashed.