I have been mulling over the concept of Obligations in the XACML specification. Basically the PDP can send authorization results back to the PEP with a list of obligations that the PEP has to fulfill as part of the authorization request. If the PEP is unable to fulfill an obligation, then it should throw an error.
I thought that when a legitimate authorization request comes to a PEP, which asks the PDP and gets a "PERMIT" with some obligations. If the PEP is unable to perform any obligation, then it flags an error and denies the access. I was WRONG. Anne Anderson from Sun corrected me on this. She basically told me that there is a semantic relationship between the PEP and PAP who decide on the semantics of obligations. So the PEP does a best-effort at an obligation. If it is not able to perform an obligation, it does not mean the access is denied.
Let us think about situations where a PEP may refuse to perform any of the obligations. Let us take the example of logging. Security and Peformance always do not go together well. In a high performant system, fine-grained authorization checks may be an overkill. The administrators may have turned off logging at the PEP level. In this case, the PEP cannot meet an obligation that asks for logging.