This is a post in a serious of discussions I am starting to get some discussion going on XACML. I led the implementation of XACML on a large scale using the original SunXACML libraries as the PDP and I am sharing some of my insights as a way to elicit some requirements on the further development of XACML. The original post and index to these discussions is http://community.jboss.org/thread/175091?tstart=0.
This thread discusses Audit/Reporting.
I don't have a whole lot to say here. IT Security department, auditors and government agencies may require information on who has access to what. Deriving that from XACML policy files is not reasonable, so some reporting capability is necessary. I think it needs to be central.. or able to assemble a single report about all policies wherever they may be.
The second type of auditing might simply be logging of decisions as they are done realtime. This should not be turned on all the time as it could be a performance bottleneck. But for troubleshooting policies or for specific incidents it might need to be enabled on a limited basis.