This specification defines a profile for the use of the OASIS eXtensible Access Control Markup Language (XACML), versions 3.0 [XACMLv3]and earlier. Use of this profile requires no changes or extensions to the XACMLstandard. This specification assumes the reader is somewhat familiar with XACML. XACML can be used for controlling access within a single application.This removes hard-coded security constraints from the application code, making it easier to change them. It also makes it possible to use a standard Policy Decision Point (PDP), so that organizations can make a proper make-or-buy decision. For virtually all organizations, authorization is not their core business, so being able to use an off-the-shelf product is appealing. Although these are substantial benefits, XACML really shines when authorizationis completely externalized from the application. Policies can then be reused across many applications, each using the same PDP. This leads to greater consistency of access control rules and improved efficiency in maintaining them.