Has anybody thought about how delegation can be reasoned about in XACML?
It appears that SAML only asserts a flat list of attributes with a single
principal, or am I off base here?
Can I support policies on such operations as:
Paul for Peter says debit Peter's account?
Which mean that Paul (or some other party trusted to do so) has issued
Paul the authorization to act on behalf of Peter, in this case to access
Peter's account.
Or such things, like
WebServer quoting JohnDoe says lookup in customer database.
Where the WebServer may be trusted to authenticate JohnDoe, but no such
proof is necessary other than the WebServer merely claiming to be acting
on JohnDoe's behalf?
-Polar