normativeness of "Common Actions"

[tr33]

"Common Actions" currently defines 4 CRUD and one generice "access" action.

are those normative and mandatory for PDP/PEP spec compliance?
How should a PDP response, in cases a common action is not implemented or does not make sense for a Subject/Resource combination or policy?

[baboulebou]

There are also "Custom Actions".
https://github.com/openid/authzen/blob/main/authorization-api-1_0.md#custom-actions

[ggebel]

See section 3.7.2

[tr33]

Section 3.7.2 only states that custom actions can be any other arbitrary string.
But there are use cases where an action represents an actual function with parameters and values that are subject to a policy decision.
Example use cases for such actions:

• transfer_money (amount = 100, currency = XY)
• set_credit_amount (value = 20000)

A policy might not only want to check if a subject has to permission to perform an action on a resource, but also check complex parameters value of that action at runtime.

Suggestion:
make a clear statement that the "action" can be represented either as
a) a string value, referring to an arbitrary action in the context of the policy
or
b) a JSON representation of a complex object that represents an action with attributes and/or parameters.
example representation:

"action": {
   "name": "transfer_money",
   "amount": 100.00,
   "currency": "EUR",
 }

to be clear: both forms should be legitimate and supported representations for "actions". Thats up to the PEP/PDP/Policy.