i was reading through the saml glossary that jeff hodges posted some
time back and noticed that the description for the term AUTHORIZATION in
part states:
"...The (act of) granting of access rights to a subject (for example, a
user, or program)."
this implies that a subject must exist for a policy to be executed
since:
1. an authorization is directly derived from a policy
2. the only input for this derivation is the policy (the subject cannot
come from another source)
3. the definition above states that an authorization acts upon a subject
b