OASIS eXtensible Access Control Markup Language (XACML) TC

RE: [xacml] [policy-model] A Proposal

  • 1.  RE: [xacml] [policy-model] A Proposal

    Posted 12-06-2001 17:56
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: RE: [xacml] [policy-model] A Proposal


    Title: RE: [xacml] [policy-model] A Proposal
    Tim,
    I think that 'not' does not substitute for 'deny'. From my point of view 'not' is just a logical operation.
    You can have 'not' condition in the grant statement and it may or may not fire. If 'not' something evaluates to false
    you do not get a 'grant'. 'Deny' on the other hand has implications for role hierarchies and also can have 'not' conditions imbedded
    in it. I agree with Michiharu that it is better to have explicit 'grant' and 'deny' (or some variation thereof)
     
    Simon G.