Add Attribute to Policy to Indicate "Must-Pass"
aaj3f opened this issue · comments
Description
We recently discussed the need to have some attribute on a policy akin to !important
in CSS that indicates that the policy trumps the typical logical-OR pattern and MUST be passed, even if other policies that would apply to the operation also would pass.
For example, we might have an student
role with a policy that does NOT give transact op access to a class like ResultGrade
. If a user was both a student
and an admin
and if admin
had a policy that DID give transact op access to ResultGrade
, we might not want the admin
role to trump the student
role with regard to transacting to ResultGrade
. Use of this !important
attribute (whatever it may look like) on the student
role policy applying to ResultGrade
would mean that this policy HAD to pass (logical-AND).