If a security token has a source ID policy, then any source ID query parameter that does not exactly match one of the policy source IDs will be forbidden. It would be nicer if the query parameter could be resolved against the policy source IDs, allowing the query to execute if a match can be found.

For example, if a policy allowed source IDs A, B, C and a query for sourceId=* then the query could be executed for the effective source IDs A, B, C.

If a policy source ID is itself a pattern, then an exact string match would still be a sensible match.