Perhaps I gave the wrong impression about protecting a
policy repository.
During
the discussons which led to XACML 3.0 it was pointed out that with XACML 2.0 (or
any version really) you can protect operations such as CRUD on a repository.
However this approach would not let you control the scope of capabilities of a
person editing policies.
I
suppose we could have consider using XPATH functions to introspect policy
contents, but I think the result would have made it very hard to understand the
intent of administrative policies.
For
whatever reasons this approach was not seriously considered and instead we chose
the scheme you see in the Admin Profile.
Influenced by the requirement to be allowed to provide
policies along with the request, we formulated Reduction as a policy decision
time process instead of an administration time process. Since the current scheme
allows access policies and their enabling administrative polices to reference
distinct attributes, there is no good way to determine if an access policy is in
force, except in the context of a particular decision.
Hal