Working with XACML Multiple Decision Profile Requests

In general, access control scenarios that the Policy Enforcement Point (PEP) has to handle are complicated and can contain a large number of attributes in each of the categories. Some of the attributes can have multiple values, and PEPs may often need to ask multiple access control questions, which can have overlapping attributes and corresponding values.

To handle such scenarios, WSO2 Identity Server supports XACML Multiple Decision Profile (MDP) requests.

MDP allows you to group multiple decisions as a single response after evaluating multiple requests. Here, the XACML Policy Decision Point (PDP) performs policy evaluation and provides an authorization dec ision response as a single <Result> element in the response context. A Policy Enforcement Point (PEP) can send a single request that can provide multiple requests to be evaluated by the PDP.

WSO2 Identity Server supports working with XACML MDP requests created either by repeating attribute categories, or by using hierarchical resources.