118
Authorization Decision Response
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
                   ID="abcdef987"
                   InResponseTo="eeaadce312"
                   Version="2.0"
                   IssueInstant="2005-01-31T12:00:00Z"
                   Destination="https://www.CarRentalInc.com">
    ...
    <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
                       Version="2.0"
                       IssueInstant="2005-01-31T12:00:00Z"
                       ID="c152aef34">
        ...
        <AuthzDecisionStatement Resource="http://www.CarRentalInc.com/employees/salaries"
                                                   Decision="Deny">
            <Action Namespace="urn:oasis:names:tc:SAML:1.0:action:rwedc-negation">Read</Action>
        </AuthzDecisionStatement>
        <AuthzDecisionStatement Resource="http://www.CarRentalInc.com/employees/salaries"
                                                   Decision="Deny">
            <Action Namespace="urn:oasis:names:tc:SAML:1.0:action:rwedc-negation">Write</Action>
        </AuthzDecisionStatement>
    </Assertion>
</Response>
Deny read.
Deny write.
see example06.b