I was recently talking to Aaron Cordova, and he asked me to chime into this thread, based on some of the work that I have done and graduate work that I have done in the access control space.
Mixing positive and negative authorizations for visibility is certainly doable; however, there are some challenges related to doing so. When you give people the possibility of combining positive and negative access control policies, you also give them the potential to creating conflicts that could (1) make something invisible to everyone [perfect security?], or (2) make something visible to everyone.. And someone could do both of these, unintentionally. Ex1: A simple policy like *(A & !A) *will make something non-accessible (and this trivial to see). At the same time, a complex policy like *((A|B)&(C|D)&(E|F)&(G|!A))* could *potentially* resolve to a policy that would deny everyone access, because in the case of someone who doesn't have B or G (and someone who has C|D and E|F), *A* and *!A* would cancel themselves out. Ex2: In the same way, someone could build another policy that might resolve to something like* (A|!A) *which would resolve to no security at all. So if you were to build a system that mixed negative and positive operators, I think there would be a need to have a *policy resolver* to make sure that a well-intentioned developer was not accidentally disabling security or making something completely invisible and useless to everyone. You can see that there is a lot of academic research on conflict resolution when it comes to mixing positive and negative authorizations (see paper below): https://www.site.uottawa.ca/~luigi/papers/09_adi_bouzida_hattak.pdf The above paper doesn't make a case for NOT mixing positive and negative authorizations, but you can see that by not mixing them, you can avoid a number of pitfalls. With some work, any negative authorization statements can be re-written as positives. I've had to do this for a number of systems for RBAC (which only does positive authorizations). Anyway - just something to think about. I hope this helps! Kevin T. Smith
