I agree with Marlena, keep the term 'subject' to refer to the principal
regardless of whether it be one principal or a set of principals.
So for example an XACML <Role> could be a principal, indicating that anyone
with the specified Role had the specified relationship to the <Object>.
It is essential to differentiate the occurence of a <role> in the <subject>
and the occurence of a <role> in the <object>. A particular assertion might
even have roles in both locations 'anyone with the X Role also has the Y
role' - very useful for mapping external roles and attributes onto localy
defined roles.
Phill
Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker@verisign.com
781 245 6996 x227
>