How do we use obligations in XACML? Any reference will be helpful The scenario is that the obligations should refer the PIP and retrun the result to PEP
Thanks
<ObligationExpressions>
<ObligationExpression ObligationId="EmailObligation" FulfillOn="Permit">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
<AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="w3.org/2001/XMLSchema#string"/>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
Obligations in XACML (as well as Advice introduced in XACML 3.0) are used to enrich the authorization flow.
A typical XACML response only bears a decision (either of Permit, Deny, Not Applicable, or Indeterminate). But, what if you want to tell the user why access is denied? What if you want to implement a "Break the glass" scenario?
This is where obligations and advice come in handy. Here are a few examples:
In XACML 3.0 obligations and advice can have variable parts such as - in the examples above - the manager's email. Those parts can be retrieved from a PIP.