[ https://issues.apache.org/jira/browse/RANGER-606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14979750#comment-14979750 ] 

Balaji Ganesan commented on RANGER-606:
---------------------------------------

[~yzhou2001] Thanks for your response. I had some issues understanding your alternative proposals. Would you be kind enough and explain your proposal with some examples? Time stamped policies, though make sense technically, sound more complex to an average user to keep track of. If a security solution is complex, users would probably stop using it. 

My take would be keep the policy definition to start with and iterate as we get feedback from Ranger user community. The initial concern with deny exceptions was that users would need to be intelligent enough to figure out to use that if they need to exclude users from a global deny. 

> Add support for deny policies 
> ------------------------------
>
>                 Key: RANGER-606
>                 URL: https://issues.apache.org/jira/browse/RANGER-606
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin, plugins
>    Affects Versions: 0.5.0
>            Reporter: Madhan Neethiraj
>            Assignee: Madhan Neethiraj
>             Fix For: 0.5.0
>
>
> Currently Ranger supports creation of policies that can allow access when specific conditions are met (for example, resources, user, groups, access-type, custom-conditions..). In addition to this, having the ability to create policies that deny access for specific conditions will help address many usecases, like:
> - deny access for specific users/groups/ip-addresses/time-of-day
> - deny access when specific conditions are met - like resources/users/groups/access-types/custom-conditions



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)