Fine grained access control with XACML

I would like to implement a fine grained access control protocol within a service. By which I mean the following;

I have some data relating to customer accounts. The service provides the avbility to request basic account info and optionally include additional sub info. Assume that the ‘get acount’ service, including all details, returns an XML structure like that below:

I’m passing user credentials using WSS UsernameTokens in the SOAP header and parsing them out separately in my own preprocessor. As I see it I have three levels of authorisation to perform:

  1. Coarse grained: is the user even allowed to access the service ? My SOAP pre-processor handles this.

  2. Fine grained pre-request: Is this user allowed to request e.g. rating information ? This looks like the sort of thing that XACML should handle

  3. Fine grained post-request: Having retrieved the data to fulfil the request, I need to filter out some fields, e.g. if the call_log includes certain types of data and the requestor is not the primary account holder I need to sanitise the returned data.

Can anyone suggest whether XACML is appropriate for (2) above and if so what experience they have implementing XACML on wM and also what approach they’d suggest for (3) which is generic enough to be reused