The issue number refers to the XLS-sheet found in this email:
http://lists.oasis-open.org/archives/xacml/200909/msg00013.html
The line numbers in the comment seem to be off, but I think he is
referring to section 3.1.
The commenter has misunderstood the meaning of the "EntireHierarchy"
functionality. He thinks that the initial XPath expression is used to
select a number nodes, and the each of these nodes is checked.
However, the profile intends (unless I am mistaken) that the initial
XPath expression selects a single node, and then access is checked for
each descendant node to this node.
I can see that the text is ambigious since it simply says (section
3.1.3) "For each node in the requested hierarchy", with no definition of
what "requested hierarchy" is.
I think we must improve the text to make it clear.
I propose that we instead write "For the initial node selected by the
resource-id and all descendant nodes"
Best regards,
Erik