Hi Stephen On Monday 14 April 2008 17:58:47 Burke, S (Stephen) wrote:
Just as a comment on the discussion about DENY rules in policies, my alternative suggestion was to have "allow" rules with a more complex syntax, e.g. something like:
VOMS:/atlas/*:EXCEPT:/atlas/higgs
which would match against any subgroup of atlas except higgs. That would be a bit harder to parse, but maybe still easier than a generic DENY rule.
(This is not a comment about the idea of publishing allow+except; it is a comment about this specific example implementation.) What you describe is an invalid FQAN. This matters only if the VOMS URI is for publishing FQANs. I believe this is the case, but can't find this stated anywhere. If so, one solution would be to extend the namespace by adding a new URI prefix (i.e., not use "VOMS"). HTH, Paul.