I've begun doing some research on XACML and external authorization. Right now I have an existing application which utilizies an RBAC model. However the implementation has a lot of shortcomings (roles can't be easily defined, roles are too coarsly grained).
Is XACML a good alternative to look at? Are there any exisitng applications which have switched to XACML from an RBAC origin? Are there any shortcomings?
Disclaimer: I'm a developer for IBM, and I work on our product that uses XACML extensively (Tivoli Security Policy Manager). I'm a little biased towards XACML.
I think XACML is a great alternative, mainly because it can support almost any security model. I'd suggest modelling your existing RBAC solution in XACML (see the profile), then extending it to include finer-grained access control where your business requirements demand it.
Externalizing your authorization code into policy has the added advantage of being able to modify your application's security model without recompiling it.
Are there any exisitng applications which have switched to XACML from an RBAC origin?
Unfortunately I'm not aware of any particular examples, at least ones that I can talk about publicly. There is an internal IBM project that allocated a month for implementing their authorization module, but got it done in a week by externalizing it using our XACML implementation. This is obviously different to your example as it was a "green fields" development project, but highlights that there are benefits to be had with the general approach you're considering.