Obligations in XACML (as well as Advice introduced in XACML 3.0) are used to enrich the authorization flow.
A typical XACML response only bears a decision (either of Permit, Deny, Not Applicable, or Indeterminate). But, what if you want to tell the user why access is denied? What if you want to implement a "Break the glass" scenario?
This is where obligations and advice come in handy. Here are a few examples:
- deny Alice access to document D + obligation: email her manager, Bob, to let him know Alice tried to access document D.
- deny Doctor House the right to view medical record + obligation: tell Doctor House he can "break the glass" to access the medical record.
- Allow Joe to view Document D but first watermark the document before returning it to Joe
In XACML 3.0 obligations and advice can have variable parts such as - in the examples above - the manager's email. Those parts can be retrieved from a PIP.