The XACML Deontic Profile is a specialized extension of the OASIS XACML standard that enriches access control decisions with deontic modalities—specifically obligation and permission—beyond the binary permit/deny paradigm. It enables policy enforcement points to return not just authorization decisions but also mandatory actions that must be executed in conjunction with access, such as logging requirements, data retention duties, or notification triggers.
Glossary
XACML Deontic Profile

What is XACML Deontic Profile?
An extension of the eXtensible Access Control Markup Language that incorporates deontic concepts of obligation and permission, enabling fine-grained normative policy enforcement in enterprise access control.
By integrating deontic logic into the attribute-based access control framework, this profile allows enterprise architects to model complex normative policies where a permitted action carries associated duties. The profile defines a standardized XML schema for expressing these obligations within XACML policy sets, ensuring that downstream enforcement components can parse and execute the prescribed duties, thereby closing the gap between formal normative reasoning and operational security infrastructure.
Core Characteristics
The XACML Deontic Profile extends the standard access control architecture to natively express and enforce normative concepts like obligations and permissions, moving beyond simple permit/deny decisions.
Beyond Binary Authorization
Standard XACML evaluates to Permit or Deny. The Deontic Profile introduces a third dimension: normative state. A decision is not just about access, but about what the subject is now obligated to do.
- Obligation Enforcement: The PEP is instructed to execute a mandatory action (e.g., 'log access', 'encrypt data').
- Advice: The PEP receives discretionary guidance (e.g., 'consider anonymizing the record').
- Stateful Compliance: The system tracks whether the obligation was fulfilled, not just whether access was granted.
Formal Deontic Semantics
The profile maps XACML elements to Standard Deontic Logic (SDL) operators, providing a mathematically rigorous foundation for policy analysis.
- Permit maps to the permission operator (P).
- Deny maps to the prohibition operator (F), which is logically equivalent to ~P.
- Obligation maps to the duty operator (O).
- Conflict Detection: Formal semantics enable static analysis of policies to detect normative conflicts where a subject is simultaneously obligated and prohibited from the same action.
Contrary-to-Duty Handling
A critical feature for real-world compliance is managing Contrary-to-Duty (CTD) obligations—the rules that activate when a primary duty is violated.
- Primary Obligation: 'A user must delete a record within 30 days.'
- CTD Obligation: 'If the record is not deleted, the user must notify the Data Protection Officer.'
- XACML Mechanism: The profile uses advice and obligation combinations in the policy to chain these fallback norms, avoiding the logical paradoxes that plague simpler deontic systems.
Policy Information Point (PIP) Integration
Deontic decisions often depend on the dynamic state of the world. The profile tightly couples with the Policy Information Point (PIP) to evaluate normative preconditions.
- State Queries: Before issuing an obligation, the PDP queries the PIP: 'Has the subject already completed mandatory training?'
- Contextual Permissions: A permission might be granted only if a specific constitutive norm is active (e.g., 'a state of emergency has been declared').
- Attribute-Based Norms: Obligations can be targeted based on subject attributes like role, clearance, or location.
Obligation Lifecycle Management
Unlike simple access logs, the Deontic Profile enables tracking the full lifecycle of a normative duty from creation to discharge.
- Activation: The obligation is created by a Permit decision with an associated ObligationExpression.
- Fulfillment: The Policy Enforcement Point (PEP) reports back that the mandated action was completed.
- Violation: The system detects non-fulfillment within a deadline, triggering a CTD obligation or a sanctioning policy.
- Expiration: The duty is discharged by a subsequent event or a temporal constraint.
Interoperability with LegalRuleML
The XACML Deontic Profile serves as an enforcement endpoint for rules modeled in LegalRuleML, creating a bridge from legal knowledge representation to runtime access control.
- Semantic Alignment: Both standards share a common deontic vocabulary, allowing for direct translation of legal norms into executable policies.
- Separation of Concerns: LegalRuleML handles the formal modeling of the law, while XACML handles the real-time, attribute-based enforcement of those modeled norms.
- Auditability: The mapping provides a clear lineage from a statute to a specific access control decision.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Explore the technical nuances of extending the eXtensible Access Control Markup Language with formal deontic logic to enforce obligations, permissions, and prohibitions in enterprise authorization systems.
The XACML Deontic Profile is a semantic extension of the OASIS eXtensible Access Control Markup Language that incorporates deontic logic modalities—specifically obligation, permission, and prohibition—into the policy decision point. While standard XACML 3.0 primarily renders binary Permit or Deny decisions based on attributes, the deontic profile enriches the response context with normative operators. This allows a Policy Enforcement Point (PEP) to not only block unauthorized access but also to trigger obligatory duties (e.g., "Permit access, but Obligation: delete the audit log after 30 days") or handle prohibitions with remedial actions. It transforms access control from a simple gatekeeper into a stateful normative engine capable of expressing complex compliance rules, such as "Permit access to the record, but prohibit forwarding it outside the legal department."
Related Terms
Explore the formal logic, policy languages, and computational frameworks that underpin the XACML Deontic Profile for enterprise-grade normative enforcement.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us