authorizationaccess-controlxacmlxacml3

XACML Obligations


How do we use obligations in XACML? Any reference will be helpful The scenario is that the obligations should refer the PIP and retrun the result to PEP

Thanks

Example from the author's comment:

<ObligationExpressions>
    <ObligationExpression ObligationId="EmailObligation" FulfillOn="Permit">
        <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
            <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="w3.org/2001/XMLSchema#string"/>
        </AttributeAssignmentExpression>
    </ObligationExpression> 
</ObligationExpressions>

Solution

  • Obligations in XACML (as well as Advice introduced in XACML 3.0) are used to enrich the authorization flow.

    A typical XACML response only bears a decision (either of Permit, Deny, Not Applicable, or Indeterminate). But, what if you want to tell the user why access is denied? What if you want to implement a "Break the glass" scenario?

    This is where obligations and advice come in handy. Here are a few examples:

    In XACML 3.0 obligations and advice can have variable parts such as - in the examples above - the manager's email. Those parts can be retrieved from a PIP.