Title: RE: [xacml] Proposed semantics for operations involving INDETERMI NATE They may have it presented the same way for the user - but in this case the equivalent of a PEP is the shell, I think. Is not it? Logging facilities and the shell do have this information - then they have a choice how to present it.. That's what I thought - PEP has a choice how to present information to the end client, but it still knows the distinction of what happened in PDP. At least, I would guess that even in this systems, if you examine the system logs you will find different records. I was talking about having protocol available between PDP and PEP as it does have use for several variations of recombination algorithms and for PDP clustering. How it is presented to the end client - is not it a choice done by an application? They may choose to behave the same for GRANT and DENY as well - this is out of the scope of the XACML protocol..