...
- This is a simplistic example of a yes/no answer for wholesale access, but more elegant rules can be written with any number of conditions
- In the Shib world, begs the question of whether or not these rules can be housed in the resolver as a central repository of logic for authorization & policy enforcement point: https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverScriptAttributeDefinition and the results passed on downstream to the application via simple attribute population. (an authorization protocol within a protocol if you will – yes provocative, but why add more machinery when you can do it today?)
Groups & Roles vs Entitlement (Privileges)
<pending>
Centralized vs distributed models
...