here is a repost of pierangela's document in pdf format.
Pierangela Samarati wrote:
as mentioned in the concall today al the last policy committee
call we discussed the issue of positive (meaning permissions; e.g.,
"this principal can access this resource") and negative authorizations
(meaning denials: "this principal cannot access this resources").
While it is true that you cannot do with permissions alone (many cases
call for more flexibility), it is also true that having denials
complicates the framework (mostly also since when you start having denials
you start thinking of the different semantics that they can carry - and
that who specified the rule may have intended).
i had proposed an alternative solution inspired by a recent work, which
goes as follows. Distinguish two kinds of rules:
1) the ones that specify sufficient conditions (which are the permissions
2) the ones that specify necessary conditions.
instead of repeating descriptions and examples here, i am attaching you a
file of that work where the two forms of rules are introduced (Section
4.2). Of course our language is different as more expressive; but that
gives the idea.
only one thing, what i call "subject"
there is our "principal", what i call "object" is our "resource"
pls just send me email (or post the group) for any clarification that may
be needed, and any comments.