The proposed Subject and Resource Search API return arrays of responses.
-- [A] One proposal is to return a "decision" attribute ("allow" or "deny") along with each response.
-- [B] Another is to return only "allow" responses, and assume everything not returned is denied.
[B] has advantages: it keeps the responses smaller in size, and makes it also easier/faster to compute the response.
If returning denied object is deemed necessary, then I would argue for adding 2 extra APIs: Search-Denied-Resources and Search-Denied-Subjects, smthg like that...
The proposed Subject and Resource Search API return arrays of responses. -- [A] One proposal is to return a "decision" attribute ("allow" or "deny") along with each response. -- [B] Another is to return only "allow" responses, and assume everything not returned is denied.
[B] has advantages: it keeps the responses smaller in size, and makes it also easier/faster to compute the response.
If returning
deniedobject is deemed necessary, then I would argue for adding 2 extra APIs: Search-Denied-Resources and Search-Denied-Subjects, smthg like that...