RE: [security-services] ISSUE: Resource attribute onAuthZDecisionStatement

[Scott Cantor <cantor.2@osu.edu>]

> Has anyone got enough experience with AuthZDecisionStatements to say 
> whether the Resource attribute has been working for them?  I know of one 
> case where someone is extending it to include multiple resources and to 
> use a non-URI method of identifying them.  I'm wondering if we should 
> consider doing something similar, and possibly including resource types 
> as a formal extension point (with a ResourceFormat, maybe).

It came up briefly in Liberty, though I think the direction there was away from that statement type in the context it was raised.
There was definitely some desire to have less constraints on the syntax, or a more XML-extensible format.

> If this suggestion provokes a lot of interest, maybe it's something we 
> can consider in 1.1.  If not, maybe we can put it on the V2.0 discussion 
> list or drop it entirely.

I would guess it belongs in the XACML + SAML = ? discussion for 2.0.

-- Scott