Forcing authorization access-reject depending on attribute