Hi! I just came across this thread and thought I'd add my 2 cents about XACML etc. for SOA. I agree with most of what was said so far.
There is one aspect that is rapidly emerging to solve some of the policy management challenges, in particular the unmanageability and "update hell" related to fine-grained (e.g. XACML) policies in agile SOA environments. This technology approach is called "model-driven security", and the basic idea is to auomatically generate fine-grained policy rules from intuitive high-level security requirements and system models (e.g. BPM workflows or UMLs). This way, you only have to manage the intuitive requirements, and also you do not have to update everything every time the system configuration changes (it can do that a lot in SOA!). You can read up on this at www.modeldrivensecurity.org, and find some demo videos at www.openpmf.com. This is one of the missing parts of an overall policy management architecture (XACML is another potential part of the solution). It is also related to the PAL language discussion earlier. Regards, Ulrich
