Maarten.Litmaath@cern.ch wrote:
Ciao Sergio,
please, have a look at section 18.3 of latest GLUE spec. There is an initial draft of how rules can be specified using a 'basic' policy scheme for GLUE:
basic rule ::= DN_RULE | VO_RULE | VOMS_RULE | ?ALL? DN_RULE ::= ?dn:? DN_NAME VO_RULE ::= ?vo:? [a-zA-Z0-9-_\.]* VOMS_RULE ::= ?voms:? VOMS_FQAN (?EXCEPT? VOMS_FQAN)?
How would one express that a VO "foo" has access except for the groups /foo/bar and /foo/xyz?
probably we need something like this: SEPARATOR ::= ':' VOMS_FQAN_LIST ::= (SEPARATOR VOMS_FQAN)* VOMS_RULE ::= 'voms' VOMS_FQAN_LIST (SEPARATOR 'EXCEPT' VOMS_FQAN_LIST)? which means in your example: voms:/foo:EXPECT:/foo/bar:/foo/xyv I don't know if you prefer this instead of separated rules for each group with optional DENY Cheers, Sergio -- Sergio Andreozzi INFN-CNAF, Tel: +39 051 609 2860 Viale Berti Pichat, 6/2 Fax: +39 051 609 2746 40126 Bologna (Italy) Web: http://www.cnaf.infn.it/~andreozzi