XACML Obligations

Question

How do we use obligations in XACML? Any reference will be helpful The scenario is that the obligations should refer the PIP and retrun the result to PEP

Thanks

Example from the author's comment:

<ObligationExpressions>
    <ObligationExpression ObligationId="EmailObligation" FulfillOn="Permit">
        <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
            <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="w3.org/2001/XMLSchema#string"/>
        </AttributeAssignmentExpression>
    </ObligationExpression> 
</ObligationExpressions>

Answer 1

Obligations in XACML (as well as Advice introduced in XACML 3.0) are used to enrich the authorization flow.

A typical XACML response only bears a decision (either of Permit, Deny, Not Applicable, or Indeterminate). But, what if you want to tell the user why access is denied? What if you want to implement a "Break the glass" scenario?

This is where obligations and advice come in handy. Here are a few examples:

• deny Alice access to document D + obligation: email her manager, Bob, to let him know Alice tried to access document D.
• deny Doctor House the right to view medical record + obligation: tell Doctor House he can "break the glass" to access the medical record.
• Allow Joe to view Document D but first watermark the document before returning it to Joe

In XACML 3.0 obligations and advice can have variable parts such as - in the examples above - the manager's email. Those parts can be retrieved from a PIP.