[glue-wg] DENY rules
Burke, S (Stephen)
S.Burke at rl.ac.uk
Tue Apr 15 03:56:55 CDT 2008
Maarten.Litmaath at cern.ch [mailto:Maarten.Litmaath at cern.ch] said:
> How would one express that a VO "foo" has access except for the
> groups /foo/bar and /foo/xyz?
If you adopted this scheme you would have two rules:
VOMS:/foo
VOMS:/foo/*:EXCEPT:/foo/bar:EXCEPT:/foo/xyz
Note that the EGEE matching rules specify that /foo only matches the
top-level group (only the primary FQAN is considered), so you need both
/foo and /foo/* to cover a whole VO.
Stephen
More information about the glue-wg
mailing list