Hi Alexander, Thanks for asking this. Quick answer is: Not yet. Near term, you can expect support for XACML policies but I'm not sure about the whole protocol itself. Our services are really based on OAuth2, OpenID Connect and UMA [1]. Where the latter plays an important role. Like Stian said, Keycloak Authorization Services is not trying to answer XACML in any way. On the contrary, we have plans to support XACML in the future. Specially XACML policies, where you would be able to import them and have them managed by Keycloak. Aggregated policies are just one of the different types of policies we provide. They are not really related with XACML. In fact, they give you a lot of flexibility when writing more complex policies and favor reuse. Some of the XACML features that you mentioned can also be achieve with Keycloak. For instance, aggregated policies can help you to combine different policies and manage their results. Delegation and Obligation/Claim Gathering would be possible as soon as we finish our UMA implementation. You can define different decisions strategies for permissions or aggregated policies, which are similar to XACML combining algorithms. However, authorization requests and decisions are always associated with a token. Where decisions are made based on the user and the client represented by this token. Differently than XACML, you can not send authorization requests for different subjects (multiple decision profile ?) but you can ask for different resources/scopes. [1] https://docs.kantarainitiative.org/uma/rec-uma-core.html Regards. Pedro Igor ----- Original Message -----