The RS is obligated to dissallow access
in the AS cannot provide sufficient rights - in all cases.
This has several implications. If the RS has additional business
rules whereby a party might get access even tho they are not UMA
authorized, (break glass?) (Admin or Help Desk) The RS HAS to
determine if a user is a special user BEFORE making the request to
the AS. Since once it has an answer, it is obligated to deny.
This implies that the RS cannot opt out once the request to the AS
is made.
It feels a little bit like don't ask don't tell!
My Concern is that the RS is ALWAYS the final arbitrator of access
control, whether UMA, DAC or MAC. It should be able to modify its
behavior based on local business rules and exceptions.
Allan
--