background

A delegator is one who grants temporary authority to a delegate (i.e. a delegator designates a delegate to act on the delegator's behalf), for example when someone goes on vacation and needs to hand authority over to someone else while away. The delegate does not have the rights and privileges within the identity provider as the delegator has, so the delegator designates that the delegate may act on the delegator's behalf with the delegator's rights and privileges or a subset thereof. If a delegator is also a recipient user, then the user context must contain authenticated session info, such as session start and end times and level of assurance, for the delegator. However, the intent of delegation is to accommodate the delegator's temporary absence from duty, so such a scenario where the individual simultaneously acts as both is not customary.

purpose

Using a possessive determiner essentially avoids any need to have Booliette support an "index into the array" of equivalently named data nodes (such as multiple users) and also avoids compelling authors to have to write their rules using an index construct. Instead, by requiring each rule to contain a little bit of configuration info, a rule author may describe the "mode" of interpreting a multi-user context if one exists. Having it at the rulesheet level wouldn't work when some rules need the mode one way while other rules need the mode a different way. If the rules don't have this little bit of info and the context is just a single user, then no harm. But if the context is multi-user and the info isn't present in the rules' conditions on user context, then this is an error (or perhaps we can have it default most conservatively). Any way, the "mode" would be either optimistic or pessimistic. Optimistic mode ("any") means that at least one node (e.g. user) in the collection must satisfy the condition. Pessimistic mode ("all" or "every") means that every node (e.g. user) in the collection must satisfy the condition. Perhaps pessimistic mode could be the default mode if the rule doesn't explicitly specify one.