This graphic shows fine-grained authorization.
The web service client sends a SOAP or XML/REST request. OWSM performs authentication and invokes OES for authorization. OES calls the lookup action configured for the protected resource and responds with any configured Obligations. OWSM evaluates the Obligations and executes the XPaths on the payload. OES then determines access based on the subject, resource, action, and attributes.