Subject: RE: [xacml-comment] Query Regarding XACML Delegation Profile v1.0 (16 April, 2009)
I am wondering if perhaps there is some confusion of terminology going on. By its nature, the A&D Profile, and specifically the Reduction process involves a minimum of two policies: an Access Policy and an Admin Policy which authorizes it. For them to be evaluated they must be contained in a Policy Set. This is the absolute minimum. A real world configuration might have hundreds of Policies and dozens of Policy Sets.
This makes me wonder what you are actually referring to. If you mean a delegation structure for the rules within a policy, well the TC more or less decided the scheme is already pretty complicated and there is no need to make it twice as complicated. Also there is a TC principle dating back to 1.0 that Policies are the unit of administration. We don’t sign anything smaller than a Policy, for example.
However, I am very pleased at your interest in the A&D Profile. I am curious about the nature of your interest. There has been discussion recently on the TC list (public archive: https://lists.oasis-open.org/archives/xacml/) to the effect that few commercial organizations see a need for these capabilities. As a result interest is fairly low.
The XACML TC would be very pleased to learn of any usecase for these capabilities, even in an academic or research context. My personal belief is that either this profile will eventually satisfy some real world requirements or it will provide a basis for experimenting with its use enough to be able to devise something better. For example, I could imagine experimenting with a complex access control system in the context of supporting a comprehensive social-collaboration environment used by students and faculty.