This documentation is for WSO2 Identity Server 5.4.0 . View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


The WSO2 Identity Server is a major player in the XACML and open source world. The Identity Server supports XACML 3.0, which is based on Balana XACML implementation. As the source code, distribution and documentation are available for free, it is possible to analyze and understand the architecture behind it. You can find source code from here.


XACML 3.0 has an AND relationship between “foo” resource and “bar1″ role and an OR relationship between “bar2″ action. So we cannot can define something as “Target would be matched, when Bob can access foo resource and do bar1 action or do bar2 action”.


  • Request attributes that are defined in the XACML response.
  • Applicable policy ids for a given XACML request are defined in the XACML response.

XACML 3.0 Multiple Decision Profile

This is new profile that comes with XACML 3.0 and is not included in the XACML3 core specification. However, this is very useful for performance improvement between PEP and PDP. This is especially the case since PEP can a useful profile that allows you to request more than one access control decision in a single XACML request context, and also allows you to request a single combined decision based on multiple individual decisions.

The XACML 3.0 Multiple Decision Profile (MDP) is particularly useful in scenarios where the PEP needs to request decisions for multiple requests in one XACML request, and provides a considerable improvement in performance between the PEP and the PDP in such scenarios.

For a set of tutorials that demonstrate how to work with XACML MDP requests in WSO2 Identity Server, see Working with XACML Multiple Decision Profile Requests.

Administrative Delegation Profile