<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Calibri Light";
panose-1:2 15 3 2 2 2 4 3 2 4;}
@font-face
{font-family:"Aptos Display";}
@font-face
{font-family:Aptos;}
@font-face
{font-family:remialcxesans;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:template-CbyZv7ONEe6-oGBFvdGUFw;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:zone-1;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:zones-AQ;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Amazon Ember Heavy";}
@font-face
{font-family:"Amazon Ember Light";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:57946185;
mso-list-template-ids:1248384186;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:899562564;
mso-list-template-ids:-1873130360;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">There are two separate permission sets here—and technically two different resource types. The first is the permission to “create” a specific
<u>type</u> of resource (in this case a loan). The attributes that allow the grant would be a combination of person attributes (e.g. a manager) and the resource to be created (e.g. loan amount, state the loan is originated in, etc.). This is basically the “class”
of resource that need authorization. This is a different permission set than acting on an existing loan, which would be based on whether that specific person is allowed to manage the loan—essentially the actual resource itself. They are related, but not the
same. I’m still getting familiar with this specification, but would think that the “create” action for a class of resource and “update” action of a specific instance of that resource would be different.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri Light",sans-serif;color:#777777;background:white;mso-ligatures:standardcontextual">Mark Marciante | Director, Digital Health | Leavitt Partners | (410) 487-5336 (cell) | (202) 439-8578
(work) | </span><a href="mailto:mark.marciante@leavittpartners.com"><span style="font-size:11.0pt;font-family:"Calibri Light",sans-serif;background:white;mso-ligatures:standardcontextual">mark.marciante@leavittpartners.com</span></a><span style="font-size:11.0pt;font-family:"Calibri Light",sans-serif;color:#777777;background:white;mso-ligatures:standardcontextual">
| </span><a href="http://www.leavittpartners.com/" target="_blank"><span style="font-size:11.0pt;font-family:"Calibri Light",sans-serif;color:#777777;background:white;mso-ligatures:standardcontextual">www.leavittpartners.com</span></a><span style="font-size:11.0pt;font-family:"Calibri Light",sans-serif;color:#777777;background:white;mso-ligatures:standardcontextual"> </span><span style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Openid-specs-authzen <openid-specs-authzen-bounces@lists.openid.net>
<b>On Behalf Of </b>Lombardo, Jeff via Openid-specs-authzen<br>
<b>Sent:</b> Thursday, May 8, 2025 2:23 PM<br>
<b>To:</b> AuthZEN Working Group List <openid-specs-authzen@lists.openid.net><br>
<b>Cc:</b> Lombardo, Jeff <jeffsec@amazon.com><br>
<b>Subject:</b> Re: [Openid-specs-authzen] A question on resource identifiers for resources that do not exist yet<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt">It is a real life use case and yes it can be bound a lot of constraints other than amount.<br>
<br>
By the way it fits the API GW testing case where I check if you can POST on /loan with a body payload… before talking to the backend that could others checks.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-CA" style="font-size:11.0pt"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><b><span lang="FR-CA" style="font-size:10.0pt;font-family:"Amazon Ember Heavy"">Jean-François “<span style="color:#E97132">Jeff</span>” Lombardo</span></b><span lang="FR-CA" style="font-size:11.0pt"> </span><span lang="FR-CA" style="font-size:10.0pt;font-family:"Amazon Ember Light"">|<span style="color:gray">
</span><span style="color:#E97132">Amazon Web Services<o:p></o:p></span></span></p>
<p class="MsoNormal"><span lang="FR-CA" style="font-size:4.0pt;font-family:"Amazon Ember Light";color:gray"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Amazon Ember Light";color:gray">Principal Solution Architect, Security Specialist - Montréal, Canada<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Amazon Ember Light";color:gray">Mobile: 514.778.5565<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:4.0pt;font-family:"Amazon Ember Light";color:gray"><o:p> </o:p></span></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt;font-family:"Amazon Ember Light";color:gray">Thoughts on our interaction? Provide feedback
</span></i><a href="https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$"><i><span style="font-size:10.0pt;font-family:"Amazon Ember Light";color:#467886">here</span></i></a><i><span style="font-size:10.0pt;font-family:"Amazon Ember Light";color:gray">.<o:p></o:p></span></i></p>
</div>
<p class="MsoNormal"><span lang="FR-CA" style="font-size:11.0pt"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Openid-specs-authzen <</span><a href="mailto:openid-specs-authzen-bounces@lists.openid.net"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">openid-specs-authzen-bounces@lists.openid.net</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">>
<b>On Behalf Of </b>David Hyland via Openid-specs-authzen<br>
<b>Sent:</b> May 8, 2025 8:33 AM<br>
<b>To:</b> AuthZEN Working Group List <</span><a href="mailto:openid-specs-authzen@lists.openid.net"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">openid-specs-authzen@lists.openid.net</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">><br>
<b>Cc:</b> David Hyland <</span><a href="mailto:Dave@mydigitalid.info"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Dave@mydigitalid.info</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">><br>
<b>Subject:</b> RE: [EXT] [Openid-specs-authzen] A question on resource identifiers for resources that do not exist yet<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
<div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr style="height:15.25pt">
<td width="1123" valign="top" style="width:842.35pt;border:solid #ED7D31 1.5pt;padding:0in 5.4pt 0in 5.4pt;height:15.25pt">
<p><strong><span style="font-size:10.0pt;font-family:"Aptos",sans-serif;color:black;background:#FFFF99">CAUTION</span></strong><span style="font-size:10.0pt;font-family:"Times New Roman",serif;color:black;background:#FFFF99">: This email originated from outside
of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.</span><span style="font-size:10.0pt;font-family:"Times New Roman",serif"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
<div>
<div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr style="height:15.25pt">
<td width="1123" valign="top" style="width:842.35pt;border:solid #ED7D31 1.5pt;padding:0in 5.4pt 0in 5.4pt;height:15.25pt">
<p><strong><span style="font-size:10.0pt;font-family:"Aptos",sans-serif;color:black;background:#FFFF99">AVERTISSEMENT</span></strong><span style="font-size:10.0pt;font-family:"Times New Roman",serif;color:black;background:#FFFF99">: Ce courrier électronique
provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque.</span><span style="font-size:10.0pt;font-family:"Times New Roman",serif"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
<div>
<div>
<div>
<p class="MsoNormal"><span lang="FR-CA">You do have a resource ID - it’s the product id. The amount may be a condition of the product type - determined by the product id. But I really don’t think it this would actually be a real life check as there would be
a pile of other criteria including the customer, term and other loan optionality that would be customer based.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA">dh<o:p></o:p></span></p>
</div>
</div>
<div id="ms-outlook-mobile-body-separator-line">
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
</div>
<div id="ms-outlook-mobile-signature">
<p class="MsoNormal"><span lang="FR-CA">Get </span><a href="https://urldefense.com/v3/__https:/aka.ms/o0ukef__;!!NwMct28-Ww!MYRcQtUR_PVzLymGuGTWuxUBmYmrjcpfirmfieHbGdDBK-sSV3ikkauxJ2g9lFUASasgHZAH0kQbeRIuCWKxbiUIB2iYhZjnNkWeGRq5Icg$"><span lang="FR-CA">Outlook
for iOS</span></a><span lang="FR-CA"><o:p></o:p></span></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center"><span lang="FR-CA">
<hr size="2" width="98%" align="center">
</span></div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:</span></b><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> Openid-specs-authzen <</span><a href="mailto:openid-specs-authzen-bounces@lists.openid.net"><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif">openid-specs-authzen-bounces@lists.openid.net</span></a><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">>
on behalf of Allan via Openid-specs-authzen <</span><a href="mailto:openid-specs-authzen@lists.openid.net"><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif">openid-specs-authzen@lists.openid.net</span></a><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">><br>
<b>Sent:</b> Thursday, May 8, 2025 2:13:34 PM<br>
<b>To:</b> AuthZEN Working Group List <</span><a href="mailto:openid-specs-authzen@lists.openid.net"><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif">openid-specs-authzen@lists.openid.net</span></a><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">><br>
<b>Cc:</b> Allan <</span><a href="mailto:allan@macguru.com"><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif">allan@macguru.com</span></a><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">><br>
<b>Subject:</b> Re: [Openid-specs-authzen] A question on resource identifiers for resources that do not exist yet</span><span lang="FR-CA">
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="FR-CA"> <o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA"><img border="0" width="1" height="1" style="width:.0104in;height:.0104in" id="_x0000_i1040" src="https://receipts.canarymail.io/track/AE980BFE3A76DE71B7ADC1325DB56676_9AC0E9560293D7A3C0A577D5BE44B398.png"></span><span lang="FR-CA"><o:p></o:p></span></p>
<div id="x_CanaryBody">
<div>
<p class="MsoNormal"><span lang="FR-CA">well it does bring up the rather interesting case of create <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA"> create doesn't have. resource ID<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA">allan<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
</div>
</div>
<div id="x_CanarySig">
<div>
<div>
<p class="MsoNormal"><span lang="FR-CA" style="font-family:"Helvetica",sans-serif">--<br>
Sent from </span><a href="https://urldefense.com/v3/__https:/canarymail.io__;!!NwMct28-Ww!MYRcQtUR_PVzLymGuGTWuxUBmYmrjcpfirmfieHbGdDBK-sSV3ikkauxJ2g9lFUASasgHZAH0kQbeRIuCWKxbiUIB2iYhZjnNkWe9k1nRo0$"><span lang="FR-CA" style="font-family:"Helvetica",sans-serif">Canary</span></a><span lang="FR-CA" style="font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
</div>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" id="x_CanaryBlockquote">
<div>
<div>
<p class="MsoNormal"><span lang="FR-CA">On Thursday, May 08, 2025 at 12:58, Andres Aguiar via Openid-specs-authzen <</span><a href="mailto:openid-specs-authzen@lists.openid.net"><span lang="FR-CA">openid-specs-authzen@lists.openid.net</span></a><span lang="FR-CA">>
wrote:<o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="FR-CA">Couldn't the resource be a higher level entity? e.g. the Region? the customer? the bank branch? If it's B2B, the organization?
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="FR-CA">On Thu, May 8, 2025 at 7:46</span><span lang="FR-CA" style="font-family:"Arial",sans-serif"> </span><span lang="FR-CA">AM Andrew Clymer via Openid-specs-authzen <</span><a href="mailto:openid-specs-authzen@lists.openid.net"><span lang="FR-CA">openid-specs-authzen@lists.openid.net</span></a><span lang="FR-CA">>
wrote:<o:p></o:p></span></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<div>
<p><strong><span lang="FR-CA" style="font-family:"Aptos",sans-serif">This message originated outside your organization.</span></strong><span lang="FR-CA"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
<div class="MsoNormal" align="center" style="text-align:center"><span lang="FR-CA">
<hr size="2" width="100%" align="center">
</span></div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA" style="font-family:"Aptos Display",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA" style="font-family:"Aptos Display",sans-serif;color:black">Sounds to me that resource Id shouldn't be mandatory, or that the resource Id is for the collection of loans. Passing a resource ID of 0 works, but that just
feels like a magic value.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA" style="font-family:"Aptos Display",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA" style="font-family:"Aptos Display",sans-serif;color:black">Andy<o:p></o:p></span></p>
</div>
<div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-collapse:collapse">
<tbody>
<tr>
<td style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="background:white;border-collapse:collapse">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-collapse:collapse">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a href="https://urldefense.com/v3/__https:/registry.blockmarktech.com/certificates/53f9a3ba-4ba6-4879-8b4d-5f5d3a413118/__;!!PwKahg!_oZpQyjahZpIjImVt2l6ty3_-UC8PNZSaGZmAWvERr278XS6PPKI2I3Gi8NZ16drBnWdfG3cu4SLh1nKc-3u8iaYU7jmzeCjzA$" target="_blank"><span style="font-size:1.0pt;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_2" src="cid:image001.png@01DBC02F.DE862210"></span></a><span style="font-size:1.0pt"><o:p></o:p></span></p>
</td>
<td valign="top" style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr>
<td valign="top" style="border:none;border-right:solid #000001 3.0pt;padding:0in 0in 0in 0in">
<p class="MsoNormal"><span style="font-size:1.0pt"><img border="0" width="85" height="124" style="width:.8854in;height:1.2916in" id="Picture_x0020_1" src="cid:image002.png@01DBC02F.DE862210"></span><span style="font-size:1.0pt"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</td>
<td valign="top" style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-collapse:collapse">
<tbody>
<tr>
<td valign="top" style="padding:5.25pt 0in 0in 5.25pt">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-collapse:collapse">
<tbody>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal" style="text-align:justify;line-height:10.5pt"><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:#000001"><br>
We are the first IdentityServer partner to become a Certified B Corporation™.<br>
Head to our </span><a href="https://urldefense.com/v3/__https:/www.rocksolidknowledge.com/mission-statement__;!!PwKahg!_oZpQyjahZpIjImVt2l6ty3_-UC8PNZSaGZmAWvERr278XS6PPKI2I3Gi8NZ16drBnWdfG3cu4SLh1nKc-3u8iaYU7jhI1Aj0A$" target="_blank" title="https://www.rocksolidknowledge.com/mission-statement"><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:#3A13CD;text-decoration:none">mission
</span></a><a href="https://urldefense.com/v3/__https:/www.rocksolidknowledge.com/mission-statement__;!!PwKahg!_oZpQyjahZpIjImVt2l6ty3_-UC8PNZSaGZmAWvERr278XS6PPKI2I3Gi8NZ16drBnWdfG3cu4SLh1nKc-3u8iaYU7jhI1Aj0A$" target="_blank" title="https://www.rocksolidknowledge.com/mission-statement"><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:#3A13CD;text-decoration:none">sta</span></a><a href="https://urldefense.com/v3/__https:/www.rocksolidknowledge.com/mission-statement__;!!PwKahg!_oZpQyjahZpIjImVt2l6ty3_-UC8PNZSaGZmAWvERr278XS6PPKI2I3Gi8NZ16drBnWdfG3cu4SLh1nKc-3u8iaYU7jhI1Aj0A$" target="_blank" title="https://www.rocksolidknowledge.com/mission-statement"><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:#3A13CD;text-decoration:none">tement</span></a><span style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:#000001"> to
read more about the ways we’re using business as a force for good.<br>
<br>
Rock Solid Knowledge Ltd is a company registered in England and Wales under number 6811209.<br>
Registered office: C2, Vantage Office Park, Old Gloucester Road, Bristol, BS16 1GW, United Kingdom<br>
Vat registered: GB948 1966 72</span><span style="font-size:8.0pt;font-family:"Calibri",sans-serif;color:#000001"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span lang="FR-CA" style="font-size:1.0pt;font-family:"remialcxesans",serif"> </span><span lang="FR-CA" style="font-size:1.0pt;font-family:"template-CbyZv7ONEe6-oGBFvdGUFw",serif"> </span><span lang="FR-CA" style="font-size:1.0pt;font-family:"zone-1",serif"> </span><span lang="FR-CA" style="font-size:1.0pt;font-family:"zones-AQ",serif"> </span><span lang="FR-CA" style="font-size:1.0pt"><o:p></o:p></span></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center"><span lang="FR-CA">
<hr size="2" width="98%" align="center">
</span></div>
<div id="x_m_7355996677732884344divRplyFwdMsg">
<p class="MsoNormal"><b><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:</span></b><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> Openid-specs-authzen <</span><a href="mailto:openid-specs-authzen-bounces@lists.openid.net" target="_blank"><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif">openid-specs-authzen-bounces@lists.openid.net</span></a><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">>
on behalf of Allan via Openid-specs-authzen <</span><a href="mailto:openid-specs-authzen@lists.openid.net" target="_blank"><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif">openid-specs-authzen@lists.openid.net</span></a><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">><br>
<b>Sent:</b> 08 May 2025 11:40<br>
<b>To:</b> AuthZEN Working Group List <</span><a href="mailto:openid-specs-authzen@lists.openid.net" target="_blank"><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif">openid-specs-authzen@lists.openid.net</span></a><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">><br>
<b>Cc:</b> Allan <</span><a href="mailto:allan@macguru.com" target="_blank"><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif">allan@macguru.com</span></a><span lang="FR-CA" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">><br>
<b>Subject:</b> Re: [Openid-specs-authzen] A question on resource identifiers for resources that do not exist yet</span><span lang="FR-CA">
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="FR-CA"> <o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
<div id="x_m_7355996677732884344x_">
<div>
<p class="MsoNormal"><span lang="FR-CA">hmmm<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA">surely customer is part of the resource? and a create can simply use a resource ID of 0 or -1. or null<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA">allan<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
</div>
</div>
<div id="x_m_7355996677732884344x_">
<div>
<div>
<p class="MsoNormal"><span lang="FR-CA" style="font-family:"Helvetica",sans-serif">--<br>
Sent from </span><a href="https://urldefense.com/v3/__https:/canarymail.io__;!!PwKahg!_oZpQyjahZpIjImVt2l6ty3_-UC8PNZSaGZmAWvERr278XS6PPKI2I3Gi8NZ16drBnWdfG3cu4SLh1nKc-3u8iaYU7iALaQ4yQ$" target="_blank"><span lang="FR-CA" style="font-family:"Helvetica",sans-serif">Canary</span></a><span lang="FR-CA" style="font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
</div>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" id="x_m_7355996677732884344x_">
<div>
<div>
<p class="MsoNormal"><span lang="FR-CA">On Thursday, May 08, 2025 at 12:34, David Brossard via Openid-specs-authzen <</span><a href="mailto:openid-specs-authzen@lists.openid.net" target="_blank"><span lang="FR-CA">openid-specs-authzen@lists.openid.net</span></a><span lang="FR-CA">>
wrote:<o:p></o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span lang="FR-CA">Hi all,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA">Interesting use case from EIC: I want to write a policy that determines how a loan-to-be can be created.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA">Managers can create a loan for a customer in their region up to their max allowed amount for the employee (and/or customer).<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA">The request would then be:<o:p></o:p></span></p>
</div>
<div>
<ul type="disc">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3">
<span lang="FR-CA">Can Alice the employee create loan with amount 1234?<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span lang="FR-CA">In this type of request, because the loan hasn't been created we do not have a loan ID or resource ID. But, because AuthZEN makes the resource ID mandatory in the evaluation API, what approach do we want to recommend?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="FR-CA">David <o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="FR-CA">-- <br>
Openid-specs-authzen mailing list <br>
</span><a href="mailto:Openid-specs-authzen@lists.openid.net" target="_blank"><span lang="FR-CA">Openid-specs-authzen@lists.openid.net</span></a><span lang="FR-CA">
<br>
</span><a href="https://urldefense.com/v3/__https:/lists.openid.net/mailman/listinfo/openid-specs-authzen__;!!PwKahg!_oZpQyjahZpIjImVt2l6ty3_-UC8PNZSaGZmAWvERr278XS6PPKI2I3Gi8NZ16drBnWdfG3cu4SLh1nKc-3u8iaYU7gKBSldXg$" target="_blank"><span lang="FR-CA">https://lists.openid.net/mailman/listinfo/openid-specs-authzen</span></a>
<span lang="FR-CA"><o:p></o:p></span></p>
</div>
</div>
</blockquote>
</div>
</div>
<p class="MsoNormal"><span lang="FR-CA">-- <br>
Openid-specs-authzen mailing list<br>
</span><a href="mailto:Openid-specs-authzen@lists.openid.net" target="_blank"><span lang="FR-CA">Openid-specs-authzen@lists.openid.net</span></a><span lang="FR-CA"><br>
</span><a href="https://urldefense.com/v3/__https:/lists.openid.net/mailman/listinfo/openid-specs-authzen__;!!NwMct28-Ww!MYRcQtUR_PVzLymGuGTWuxUBmYmrjcpfirmfieHbGdDBK-sSV3ikkauxJ2g9lFUASasgHZAH0kQbeRIuCWKxbiUIB2iYhZjnNkWeDw60cCs$" target="_blank"><span lang="FR-CA">https://lists.openid.net/mailman/listinfo/openid-specs-authzen</span></a><span lang="FR-CA"><o:p></o:p></span></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><span lang="FR-CA">-- <br>
Openid-specs-authzen mailing list <br>
</span><a href="mailto:Openid-specs-authzen@lists.openid.net"><span lang="FR-CA">Openid-specs-authzen@lists.openid.net</span></a><span lang="FR-CA">
<br>
</span><a href="https://urldefense.com/v3/__https:/lists.openid.net/mailman/listinfo/openid-specs-authzen__;!!NwMct28-Ww!MYRcQtUR_PVzLymGuGTWuxUBmYmrjcpfirmfieHbGdDBK-sSV3ikkauxJ2g9lFUASasgHZAH0kQbeRIuCWKxbiUIB2iYhZjnNkWeDw60cCs$"><span lang="FR-CA">https://lists.openid.net/mailman/listinfo/openid-specs-authzen</span></a>
<span lang="FR-CA"><o:p></o:p></span></p>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</body>
</html>