Authorization rules applied to large data sets may require multi-dimensional filtering of output. A Permit or Deny from an XACML PDP can sometimes simply be inadequate.

Privacy protection is a typical use case. Systems with information about many individuals – perhaps entire populations – may include different types of sensitive information about data subjects. It can only be displayed under special circumstances and based on given contextual constraints.

Medical staff should see medical data, but only about patients to whom they have a care-relation. If the purpose of use is medical care there is on the other hand no need to show financial data about patients. For accountants concerned with billing, the opposite is true.

The access control logic must therefore assist in filtering output, whereby the purpose of use and the relation between the user and the data subjects becomes crucial. Context-awareness is key.

With large data sets multiple authorization queries for each single data item will lead to performance penalties. The Axiomatics Reverse Query product enhances the capabilities of XACML-based authorization to meet these requirements.

A standard XACML request can be answered with a Permit or Deny. "Can user Bob read document number 42 from the database management system?" Permit or deny.

An ARQ response, by contrast, is a logical expression. The PEP sends an open request to the PDP. "Which actions can Bob perform on documents in this repository?" The response may include criteria such as "Permit read access for documents belonging to Bob's department, Write access for documents authored by Bob or users for whom he is the manager, namely Anne, Joe or Charlie or for which Bob is the assigned reviewer or editor".

The response is delivered in a uniform format based on which PEP components can output efficiently.