How to set up access control in ORION API for tenant isolation using Wilma PEP proxy and IdM Keyrock?

I want to enforce access control at the NGN API level of the Orion API to provide real data isolation. I want to make sure that a tenant can only query / update their contexts and not those that belong to another tenant.

To do this, I started to put an instance of Wilma PEP Proxy in front of the Orion Context Broker. I then configured my own GE KeyKex Identity Manager instance based on the official docker idM Keyrock and GE's own authorized PDP based on the official docker image AuthZForce image.

After days of configurations and many tries, I could finally use these three Generic Enablers that work great, authenticate and authorize requests for NGSI APIs for Orion consortium using PEP level 2 .

Be that as it may, the authorization level is not enough to ensure what I want, because the information about the service (tenant) and the helper (application path) is in the request headers. Partially in the headers Fiware-Service and Fiware-ServicePath. To create header-based authorization policies, you need to use Level 3 : XACML permission.

The problem is that I did some digging in the official Fiware documentation and I couldn't find any example of XACML policy. Apart from the official Wilma PEP proxy documentation (see here ) it says that you might have to modify the PEP proxy source code to get this authorization level.

As expected, this case validates advanced request parameters such as custom or custom headers, depending on the specific use case. Therefore, the programmer must modify the source code of the PEP proxy to include specific requirements.

Is it possible?

Do I need to modify the source code of the PEP proxy to achieve something as simple as the tenant can only access their data?