Does the JSON profile for XACML support MDP

JSON, or JavaScript Object Notation is a more lightweight and arguably a more easy-to-work with format than XML which is typically used in data exchange (e.g request/response) between Policy Enforcement Point (PEP) and Policy Decision Point (PDP).

MDP, or Multiple Decision Profile is a standards-based way of grouping multiple similar access requests into a single “batch” request which will reduce the performance cost incurred by over-the-network use. The combined use of JSON and MDP then should offer higher performance still.

Axiomatics own David Brossard authored the JSON profile specification for XACML, now part of the OASIS XACML 3.0 Standard. As a consequence, Axiomatics also supports the JSON over REST authorization interface on its PDP’s in Axiomatics Policy Server (APS).   

Naturally, the full scope of the JSON profile is supported, including the use of MDP.


{ "Request": { "AccessSubject": { "Attribute": [ {"AttributeId":"employeeId","Value":"Alice"}     ] }, "Resource": [  {"Attribute": [ {"AttributeId":"recordId","Value":"123"} ]}, {"Attribute": [ {"AttributeId":"recordId","Value":"124"} ]} ], "Action": { "Attribute": [ {"AttributeId":"actionId","Value":"view"} ] } } }

This MDP Request asks “Can a user with the role Insurance Agent approve insurance claim 123 and 456”? Note the two resources that are bundled in the request.

For Further Details on JSON and MDP


If you have any question related to access control in need of an answer, send them to [email protected].


Other Blogs

3 keys to re-evaluate your authorization management
On May 27, I had the pleasure to join the KuppingerCole KCLive event with several industry peers in a panel discussion about  “Enabling the Future...
How OAuth is related to Attribute Based Access Control
What is Authorization? Authorization, also referred to as Access Control, is the process that follows authentication (which checks your identity and ensures that you are...
Modern Enterprise Authorization Management System
Gartner has an interesting article titled “Modernize Your Runtime Authorization” that highlights some aspects you need from a modern enterprise authorization systems. Over the years...