Multiple decision profile – Hierarchical resources

In my previous post, we went though defining XACML policies for web application. Now i am going to try out the scenario, that is defined there with second approach. i.e. Multiple decision profile  with hierarchical resource profile.  Here i am using Identity Server which is an open source XACML engine that supports XACML 3.0, multiple decision profile and hierarchical resource profile

Step 1.  Web application (PEP) sends only the root resources and XACML engine (PDP) knows how to extract the child resources corresponding to root resources. Therefore XACML PDP must be fed with child resources. Identity Server provides an extension point for this. Therefore we can implement our own custom extension according to the our scenario. Please go through my previous blog on this.
Step 2.  You need to upload and publish these policies in to the XACML PDP as enabled policies. You can find more details from here.

Step 3. Create multiple decision request with scope attribute from PEP TryIt tool
Lets say.. web application needs to verify the permitted items in the index.jsp for user “asela” (“asela” is in privateUser role). Therefore web application needs to create a XACML request with scope attribute. Here TryIt UI does not support it. However we can create a draft XACML request from UI and need to add some more elements manually.


Followings are the important points on XACML request.

  • Root resource of the XACML request is identified by the attribute value with resource category; i.e “urn:oasis:names:tc:xacml:3.0:attribute-category:resource” and default resource id; i.e “urn:oasis:names:tc:xacml:1.0:resource:resource-id”.
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:root-resource-id" IncludeInResult="false">
<AttributeValue DataType="">index.jsp</AttributeValue>
  • Scope element of XACML request is identified by the the category “urn:oasis:names:tc:xacml:3.0:attribute-category:resource” and attribute id “urn:oasis:names:tc:xacml:2.0:resource:scope”.
<Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:resource:scope" IncludeInResult="false">
<AttributeValue DataType="">Children</AttributeValue>
  • Scope value can be either “Children” or “Descendants”. Descendants means all the resources under the root resource. Children means level 1 Descendants. However this could be related with your resource finder implementation.
  • Here we are sending root resource name as different attribute (attribute id is different, it can be any id according to the policy. Here i have used “urn:oasis:names:tc:xacml:1.0:resource:root-resource-id”) as Polices have been written according to it and PDP wants it for evaluation.
  • “Include in result” important to distinguish the results of XACML response and It has been added in to the Root resource element. Then all child/descendant resources would contain in the XACML response

Finally XACML request can be found from here

Step 3. Use PEP TryIt  tool invoke the PDP (Or else you can invoke “getDecision” method of the PDP API using SOAP UI )


Step 4. You can see the multiple decisions within same XACML response and We can distinguish each decision using the attribute values that are returned.


XACML response can be found here

Step 5. Web application needs to filter out the items (actions) that are permitted in the response and allow them to the user.

Discuss this article on Stack Overflow


  1. I have followed your policy, setting and request, but I could not get the same response as yours. I was wondering if you could give me some advices.

Leave a Reply

Your email address will not be published. Required fields are marked *