Title: RE: Policies with No Subject Colleagues - I strongly support Hal's view. (His third paragraph does contain an implicit definition of the term "privilege" which conflicts with my use of the term. But, that is not material to this discussion.) I envisage XACML 1.0 defining informative "bindings" for some common policy distribution mechanisms (the Web, ODBC, LDAP) that explain how to locate and retrieve the XACML policy statement for a specified resource/action combination. So, the schema of this mechanism will probably be based on the structure of resources and their actions. The policy statement will be executed by an XACML virtual machine, the operation of which is defined in the one normative XACML meta-policy. The virtual machine must obtain just the parameter values indicated in the policy statement. These may include attributes of the subject, but they don't have to. If a parameter is not included in the policy statement, then it does not have to be considered in the policy evaluation. All the best. Tim. ----------------------------------------- Tim Moses Tel: 613.270.3183