Does the JSON profile for XACML support MDP?

David Brossard   ·   Wednesday, October 11th, 2023

JSON (JavaScript Object Notation) is a more lightweight and arguably a format that’s easier to work with than XML (Extensible Markup Language), which is typically used in data exchange (e.g request/response) between Policy Enforcement Point (PEP) and Policy Decision Point (PDP).

Multiple Decision Profile (MDP) is a standards-based way of grouping multiple, similar access requests into a single “batch” request which will reduce the performance cost incurred by over-the-network use.

The combined use of JSON and MDP should offer higher performance still.

I authored the JSON profile specification for XACML (eXtensible Access Control Markup Language), now part of the OASIS XACML 3.0 Standard.

As a result, Axiomatics also supports the JSON over REST authorization interface on its PDPs in our policy server.

Naturally, the full scope of the JSON profile is supported, including the use of MDP.

Example:

{ "Request": { "AccessSubject": { "Attribute": [ {"AttributeId":"employeeId","Value":"Alice"}    ] }, "Resource": [ {"Attribute": [ {"AttributeId":"recordId","Value":"123"} ]}, {"Attribute": [ {"AttributeId":"recordId","Value":"124"} ]} ], "Action": { "Attribute": [ {"AttributeId":"actionId","Value":"view"} ] } } }

This MDP Request asks “Can a user with the role Insurance Agent approve insurance claim 123 and 456?”.

Note the two resources that are bundled in the request.

If you’re interested in more details on JSON and MDP, check out these excellent resources:

• JSON Profile of XACML 3.0 Version 1.0
• XACML v3.0 Multiple Decision Profile Version 1.0

If you’re also interested in learning more about how this works with Axiomatics, please reach out to our team and schedule a demo.