I once worked on a project for flexible authorization called "SecureKit" which attempted to be a common criteria evaluated system for any kind of authorization. It quickly became apparent that it would pretty much have to be Turing complete to satisfy the general case.
For example, some systems anyone can authenticate when a fire is occurring in some other areas, but normally only a certain set of people can have access to it.
Yes, this is what I realized too. It is why EACL is embedded in the application layer instead of trying to run in a layer above it. To do authorization properly, rules need to be embedded alongside the secured data and decision code needs to run next to application code.
I once worked on a project for flexible authorization called "SecureKit" which attempted to be a common criteria evaluated system for any kind of authorization. It quickly became apparent that it would pretty much have to be Turing complete to satisfy the general case.
For example, some systems anyone can authenticate when a fire is occurring in some other areas, but normally only a certain set of people can have access to it.