In legacy systems, fine-grained access control refers to different vendor specific capabilities. "Object level security" may in one system imply that database functions are used to control access to individual "objects". Another system provides similar controls using "transaction level security". "Field level security" sometimes indicates that permissions for individual elements in a graphical user interface can be controlled separately. The "granularity" of such access control mechanisms is rarely comparable across applications or domains. Enforcing corporate policies equally in multiple systems is therefore a daunting - if not impossible - task.

Yet, in one aspect previous technology generations are similar: they are based on static assignments of user permissions. Access to individual information objects is granted based on access control lists defining the permissions of individual users or user groups. The more fine-grained, the more overwhelming the administrative burden therefore becomes. To control 1000 users' access to 1000 information assets you need the ability to handle one million possible combinations (1000*1000). Whether or not it is possible to simplify, for instance by categorizing and grouping user permissions into roles, the challenge becomes proportionate to the degree of granularity you want to achieve. If the 1000 information assets need to be controlled on the level of some 100 objects / aspects which each contains, the multiplying factor creates a combinatory complexity that is difficult to grasp: permissions for 1000 users potentially amount to 100 million possible statically configured combinations.

Axiomatics delivers fine-grained authorization using a radically different approach. Rather than defining access control per individual user or object, XACML-based solutions use a higher level of abstraction by means of policies and rules.

This is well aligned with the decision making within an organization. A compliance officer does not issue a corporate policy saying that "if you are Bob you should have access to transaction NME28", although this is the way a legacy system may implement its static access control configuration. The policy perhaps states that "except for the week preceding quarterly reports, department managers may approve purchase orders for their subordinates provided the amount does not exceed $ xxx and the accumulated value of approved purchase orders do not exceed the department's annual investment budget". Axiomatics extensible authorization solutions offer the capability to express and enforce rules of this kind using XACML policies which "translate" the human readable policy into dynamic access controls within an information system. Interpreting the policy, the Policy Decision Point (PDP) will in real-time establish whether user Bob, who's about to approve a purchase order, actually is a department manager, whether the PO comes from one of his subordinates, whether the current date is in a week preceding a quarterly report and whether an approval will exceed budget limits or not. If the conditions mandated by the policy are met, the PDP will return a PERMIT to its Policy Enforcement Point (PEP), otherwise it will respond with a DENY.

Such real-time evaluation of policies by nature is dynamic: in our example the date as well as the current balance of the investment budget determines whether a request should render a PERMIT or DENY and each approved transaction thus dynamically alters the conditions for subsequent requests.

Using XACML fine-grained and dynamic are two sides of one and the same coin. The granularity of access controls will be just as coarse or fine-grained as the mandates of the underlying corporate policy. The focus is on the policy rather than on the characteristics of technical configurations in IT systems. Furthermore, since Policy Enforcement Points (PEP) in multiple informations systems and on different levels within these systems can query one and the same Policy Decision Point (PDP), a policy will consistently be enforced across applications.