I think you're looking at the design of visibility labels backwards. Visibility labels and corresponding authorizations are not user groups, for which you assign data to, they represent attributes of the data itself, which determine which groups can access it. If you have a new group, in Accumulo that would mean you have a new kind of data. By default, this data shouldn't be visible, in Accumulo. You have to make a conscious decision to allow access to that new data label and assign users to the data.
-- Christopher L Tubbs II http://gravatar.com/ctubbsii On Wed, Mar 19, 2014 at 11:43 AM, Jeff Kunkle <[email protected]> wrote: > New groups are created on the fly by our application when needed. Under the > scenario you describe we’d have to go through all the data in Accumulo > whenever a group is created so that users in the group can see the existing > data. > > On Mar 19, 2014, at 11:34 AM, Sean Busbey <[email protected]> wrote: > > > On Wed, Mar 19, 2014 at 10:22 AM, Jeff Kunkle <[email protected]> wrote: >> >> My particular use case meets both of those conditions. I’d like to use a >> not operator to soft delete things for specific groups of users, which are >> assigned a given authorization. For example, assume I have two groups of >> users: group1 and group2. If I want to temporarily hide something from >> group1 I would add “& !group1” to the visibility. In my case I’m not really >> using the NOT operator for access control. The users in the group have >> access to the data; they’ve just chosen to hide it from their view. >> >> > > This scenario includes rewriting the data with the "& !group1" addition? Why > not just rewrite the data to not include the group1 visibility at all? > >
