XACML for Authorization

standardized, attribute based, externalized, fine-grained and dynamic authorization for enterprise applications

What is new with XACML 3.0

These day, i am working on opensource XACML 3.0 implementation, called  “Balana”.  You can find the project from here.  Balana is an improvement of sun-xacml.  However i am not going to talk about Balana today…  But just want to share some knowledge with XACML 3.0  When I go through the XACML 3.0  Core specification, following are the main changes that i saw when comparing to  XACML 2.0….

Custom attribute categories

Custom attribute categories  can be defined with XACML 3.0. But in XACML 2.0, attributes have been organized into subject, resource, environment or action. As an example, think that you want to create an attribute category called “foo” in your policy and request. You can do it with XACML3 with out any issue. According to the XACML 3.0 policy schema, category of XACML element is identified by a XML attribute called “Category”.  As an example,

In XACML 2.0 Policy, you can define the attribute designator element as follows, But it must be a pre-defined category such as subject, resource, environment or action.

<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>

In XACML 3.0 Policy, you can define it as follows. Category can be any thing as it is defined as an attribute of AttributeDesignator element

<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="resource" DataType="http://www.w3.org/2001/XMLSchema#string"/>


Improvements in Obligation

There are several improvements with Obligation in XACML 3.0 when compare to 2.0

One is the introduced of Obligation Expressions.  This would add dynamic expressions in to the obligation statements. To be more clear, lets go through an example…

Let assume that you want to do following with the Obligation.

“On deny, Tell the PEP to send an email to the user….”

In XACML 2.0,  you need to define the obligation element with the user email statically.

<Obligation ObligationId="send-email" FulfillOn="Deny">
<AttributeAssignment AttributeId="email" DataType="http://www.w3.org/2001/XMLSchema#string">user@foo.com</AttributeAssignment>

But user would not be same for each XACML request that is evaluated, Therefore it is not possible to configure the email statically in the Obligation element. Obligation can only say PEP to “please send email to user” (let the PEP figure out the value of user’s email)

<Obligation ObligationId="send-email" FulfillOn="Deny">
 <AttributeAssignment AttributeId="text" DataType="http://www.w3.org/2001/XMLSchema#string">please send email to user</AttributeAssignment>

But in XACML 3.0, email of each user can be retrieved using PIP in a dynamic manner as we can define na expression element inside the ObligationExpression. Therefore Obligation can say PEP to “please send email to user@foo.com address”

 <ObligationExpression ObligationId="send-email" FulfillOn="Deny">
 <AttributeAssignmentExpression AttributeId="email" DataType="http://www.w3.org/2001/XMLSchema#string">
 <AttributeDesignator AttributeId="email" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

In XACML 2.0, obligations can only be added to policies and policy sets. But with XACML 3.0, rules can also contain Obligations.


Introduce of Advice

Advice is a newly introduced feature with XACML 3.0 which is similar to Obligations. But only different, when compared to Obligations, PEPs do not have to comply with advice statements. PEPs can consider or discard the statement. Common use case is to explain why something was denied. “User bob is denied Because he has not a valid email”


Improvement in Target element

Actually as we can define custom attribute categories, There are some improvements in some of the elements in the XACML 3.0 policy, when compared to 2.0.  With XACML 3. 0 Target element, we can define more complex authorization logic within itself  than 2 .0.

Because In XACML 2.0, Target element contains the OR and AND relationship between same category. But in XACML 3.0 AllOf and AnyOf elements have been introduced to Target element. That clearly has been helped  to define the OR and AND relationship between different categories.

As an example, let look at a Target element;

In XACML 2.0 , here we are having AND relationship between foo1 and foo2 resources and OR relationship between bar1 and bar2 actions. But we can not create and OR relationship between foo1 resource and bar1 action.  so we can not define something such as “Target would be matched, when Bob can access foo resource or do bar action” by using target element.

 <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">foo1</AttributeValue>
 <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
 <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">foo2</AttributeValue>
 <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bar1</AttributeValue>
 <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bar2</AttributeValue>
 <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>

In XACML3 , here we are having AND relationship between “foo” resource and “bar1″ role and OR relationship between “bar2″ action. so we can not define something such as “Target would be matched, when Bob can access foo resource and do bar1 action or do bar2 action”.

 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">foo</AttributeValue>
 <AttributeDesignator MustBePresent="false"
 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
 <AttributeDesignator MustBePresent="false"
 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
 <AttributeDesignator MustBePresent="false"


More functions and algorithms

XACML3 has introduced new String functions such as


Some improvements to other functions such as


Also Improvements to exiting combine algorithms (deny-overrides , permit-overrides, ordered-deny-overrides and ordered-permit-overrides) and new two combine algorithms for policy and rule combining…



Improvements in XPath

New XPath data type has been introduced with XACML 3.0. In XACML 2.0 XPath has been defined as a String where it can not be defined the context that the namespace prefix are going to resolve. Also XPath based multiple decisions scheme has been introduced.


Improvement in XACML Request and Response.

As we can defined custom attribute categories, many types of attribute categories can be in the XACML 3.0 request. XACML 2.0 request can contains only Subject, resource, environment or action categories.

In XACML Response can contain additional data such as

Request attributes that are defined in the XACML response.
Applicable policy ids for given XACML request, are defined in the XACML response.


Multiple decision profile.

This is new profile which comes with XACML 3.0 and this is not incuced in XACML3 core specification. But this is very useful for performance improvement between PEP and PDP. As PEP can ask decisions for multiple requests in one XACML request.


Administrative delegation profile

This is also a new profile which comes with XACML 3.0. This allow to define policies about who can write policies about what. As an exmple.
“Bob may issue a policy but only about resources in department X”

We will discuss on Multiple decision profile and Administrative delegation profile more on my next blog post….   Thanks for reading..!!!

Discuss this article on Stack Overflow


Add a Comment
  1. Hey, I am trying to explore XACML 3.0 for the purpose I exported balana 1.0.0 in to my system, but I am all confused and messed help. Can you kindly guide me to configure it!
    Thanks in advance

      1. Exactly, the network issue was because of the proxy server at my work place. Thanks a lot for the quick response!

  2. Hi,

    Is the information in this blog post, in particular, the information about Obligations, only applicable to Balana, or does WSO2 Identity Server also support Obligations? I’ve been looking for information about that (WSO2 IS and Obligations) but haven’t been able to find anything thus far.

      1. Hi,

        Thanks. Can you point me to any information about how to configure/use that? Is it supported in the PAP also?

  3. Hi,

    I was able to get a small test using Obligations working, using a XACML 3.0 policy that I manually created, so it appears that there’s no PAP support for Obligations?

    Anyway, I also was able to get a small PIP Attribute Finder working. However, I then noted that the response puts the Decision and Obligations/Obligation elements inside a CDATA.



    Is that normal? Is there a way to NOT have those in a CDATA, because it makes it difficult to parse the response with Xpath.

    1. Hi,

      It appears that the XML I posted didn’t appear, so hopefully it will this time:

      &lt;soapenv:Envelope xmlns:soapenv=&quot;http://www.w3.org/2003/05/soap-envelope&quot;&gt;
            &lt;ns:getDecisionByAttributesResponse xmlns:ns=&quot;http://org.apache.axis2/xsd&quot;&gt;
               &lt;ns:return&gt;&lt;![CDATA[&lt;Response xmlns=&quot;urn:oasis:names:tc:xacml:3.0:core:schema:wd-17&quot;&gt;&lt;Result&gt;&lt;Decision&gt;Permit&lt;/Decision&gt;&lt;Status&gt;&lt;StatusCode Value=&quot;urn:oasis:names:tc:xacml:1.0:status:ok&quot;/&gt;&lt;/Status&gt;&lt;Obligations&gt;&lt;Obligation ObligationId=&quot;send-email&quot;&gt;&lt;AttributeAssignment  AttributeId=&quot;Filter1&quot; DataType=&quot;http://www.w3.org/2001/XMLSchema#string&quot;&gt;
      1. Hi Asela,

        Yes, I was sending the request into the Entitlement Service using SOAPUI and copy-pasted the response above from the response pane in SOAPUI. Is that CDATA normal for the WSO2 Entitlement Service response?

  4. Hi Asela,

    I tried using Firefox with the RESTclient plugin rather than SOAPUI, and I think I see what’s going on. Part of the response message is HTML-encoded (replacing < with ampersand-lt-semicolon, etc.). I think I saw this earlier even without the Obligation in the response, and I have code to do the HTML decode then I can Xpath on top of that.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

XACML for Authorization © 2015 Frontier Theme