主权项 |
1. A method implemented at least in part by a computer, the method comprising:
receiving, in the computer, one or more respective resource identifiers identifying one or more respective resources; generating, in the computer, one or more entitlement decisions for respective of the resource identifiers according to a plurality of access rules for the resources, wherein the access rules are organized as respective rule ranges in an entitlement space, and wherein a rule range for an access rule is represented by one or more unique rational numbers; and storing, in the computer, for a set of given security identifiers, the entitlement space as a union of a plurality of permitted ranges from the one or more unique rational numbers representing respective rule ranges, wherein the plurality of permitted ranges comprises access rules filtered based on the given security identifiers, the union of the plurality of permitted ranges represents a subset of the access rules, the subset of the access rules has fewer than all of the access rules, and at least two of the plurality of permitted ranges are not adjacent to each other. |