posted 19 years ago
Hi Paul,
The question is, again, a good one. Unfortunately the answer is not simpmle.
There is lots of ground to cover here, and I won't address it all in this posting. E.g., there is programmatic access control, and there is rule-based access control.
Rule-based policy systems are problematic because they require an administrator to define rules about applications, and administrators generally do not understand business applications or even want to. My book talks about the distinction of access control rules and access control policy configuration. The former should be defined by the application builder, possibly using a programmatic approach; the latter should be set by the application administrator. The rules can be complex, but the policy set by an administrator should be simple and declarative.
