Hi

as mentioned in the concall today al the last policy committee call we discussed the issue of positive (meaning permissions; e.g., "this principal can access this resource") and negative authorizations (meaning denials: "this principal cannot access this resources"). While it is true that you cannot do with permissions alone (many cases call for more flexibility), it is also true that having denials complicates the framework (mostly also since when you start having denials you start thinking of the different semantics that they can carry - and that who specified the rule may have intended).

i had proposed an alternative solution inspired by a recent work, which goes as follows. Distinguish two kinds of rules:

1) the ones that specify sufficient conditions (which are the permissions above)

2) the ones that specify necessary conditions.

instead of repeating descriptions and examples here, i am attaching you a file of that work where the two forms of rules are introduced (Section 4.2). Of course our language is different as more expressive; but that gives the idea.

only one thing, what i call "subject" there is our "principal", what i call "object" is our "resource"

pls just send me email (or post the group) for any clarification that may be needed, and any comments.

best -p