Banking Sample with XACML

Lets try to understand how XACML can be used in banking applications and how to implement a sample banking authorization system with open source XACML engine.

Use case


  • There is bank call KBank, that supports ATM facilities and online money transfer faculties for its own customers.
  • KBank has LDAP user store that contains customer details (User attributes and groups)
  • KBank has legacy banking application that contains details about the customer’s bank accounts
  • When money is debited from ATM machine, customer must be authenticated with card (name) and password.
  • When money is transferred using online application, customer must be authenticated with username and password.
  • Later KBank understood that authentication is not enough, there are some requirements for authorization to provide better user experience and better security for ATM and Online customers.

One of the example would be following.

KBank has given privilege level to its own customers.. There are two privilege levels. i.e Gold and Silver. Only few customers are assigned to these two privilege levels. These assignments are maintained in the user store by creating two groups called Gold and Silver and assigning users to them.

Authorization System with XACML


  • ATM machine and Online application would act as PEP, where it calls to centralized PDP for authorization decisions
  • Managers and Policy administrators in the KBank would define the XACML policies for the PDP. There must be a user friendly interface for it.
  • Polices would be stored in a policy store.
  • Authorization decision can not be taken only by evaluating polices. There must be a way to call KBank user store and Legacy Banking applications to build the correct decision. PDP must support for multiple PIP points that can retrieve data from these external system.

Implementing Sample Authorization System

Assume. There are three customers….

bob –> has Gold Privileges. Account Balance of $ 50000.00

alice –> has Gold Privileges. Account Balance of $ 10000.00

peter –> has Silver Privileges . Account Balance of $ 30000.00

Step 1. Connect Identity Server in to KBank user store. You can edit user-mgt.xml file of the Identity Server to connect it to any user store.

Here i have used the embedded LDAP server that is shipped with Identity Server by default. Therefore i have created these users and groups in the LDAP using Identity Server management console… You can create LDAP users called  bob, alice and peter  and LDAP groups called  Gold and Silver,  then assign them to respective groups.

By default, Identity Server user store act as a PIP for its PDP. Therefore, user attributes and groups can be retrieved from LDAP user store for policy evaluation.

Step 2. Deploy custom PIP module for Legacy Banking application to retrieve customer account balance.

Please find sample PIP module from here.  Please refer README file.  You can find more details on writing  PIP module from here.

Step 3. Add these two policies in to PDP of Identity Sever. You can refer more details on adding policies to PDP runtime from here.

ATMPolicy1 — This policy contains rule to check whether users has account balance more than the amount that is tried to debit. This policy calls PIP module to retrieve the account balance of the user.

ATMPolicy2 — This policy contains the rules to check whether user’s privileges. This policy also calls PIP module to retrieve the user’s roles.

Step 4. Download the ATM sample from here.  This is a command line sample and all dependent libraries can be found within the sample. This ATM sample contains a PEP module that calls to Web service API of Identity Server PDP

Extending Sample

Say, KBank needs to apply new rule in to ATM machines that customer can only debit money from 9.00AM to 4.00PM.

Step 1. Create new time based Policy

I have used the basic policy editor of Identity Server to create this policy…


Step 2. Publish policy in to PDP

Step 3. Reorder the policy to bring it as the first policy in the PDP policy store

Step 4  Enable the Policy

You can extend this sample adding new polices.. such as above……

Discuss this article on Stack Overflow


  1. Thanks for this great real world example. The only thing you haven’t covered in here is how you have distributed the PEP to the ATM. One of the challenges with XACML (my laymans understanding) is externalising authorisation for COTS apps that have all the authorisation logic built into them. How does the COTS ATM app externalise the clal to the PEP? Where is the PEP?

  2. One other bit of value you could add here is how this same use case would be delivered using a Business Rules engine, and how a XACML engine would be easier/better to use over Business Rules.

Leave a Reply

Your email address will not be published. Required fields are marked *