MHonArc v2.5.2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: RE: [xacml] [policy-model] A Proposal
Title: RE: [xacml] [policy-model] A Proposal
Tim,
I
think that 'not' does not substitute for 'deny'. From my point of view 'not' is
just a logical operation.
You
can have 'not' condition in the grant statement and it may or may not fire.
If 'not' something evaluates to false
you do
not get a 'grant'. 'Deny' on the other hand has implications for role
hierarchies and also can have 'not' conditions imbedded
in it.
I agree with Michiharu that it is better to have explicit 'grant' and 'deny' (or
some variation thereof)
Simon
G.