Consider the Balazs use case:
ATLAS has 100 groups. You want to state that 99 groups are authorized, but not /atlas/production/students.
With just FQAN you have to list 99 groups, this is inefficient. The other way is to say
/atlas/*:EXCEPT:/atlas/production/student
or
ALLOW: fqan:/atlas/* DENY: fqan:/atlas/production/student
If this syntax is required, it should be defined by the group that defines FQANs. There are many places in the architecture where such matchmaking takes place and the information system is just one of them. The problem within EGEE, as you stated was that the method of matchmaking in LCMAPS and the WMS was not consistent. I realize that some of us involved in Glue would also be involved in the other discussion but we need to separate these different roles. We should not define this syntax but reference where this syntax if defined. If this syntax has not been defined we need to state this and not make invent one. Laurence