Overview#

Policy Based Management System is a Framework in which an Access Request received by a Policy Enforcement Point (PEP) is presented to a Policy Decision Point which retrieves the Authorization Policy data from a Policy Retrieval Point along with data on the Entity requesting access and data on the Target Resource from Policy Information Point(s) and renders a decision to the Policy Decision Point.

Generally, any of the AAA Servers (or Access Control Engines) transactions may retrieve a policy or evaluate a Access Control Policy, and any of the Service Equipment may enforce a policy. Policy Retrieval Points (Policy Repositories) may reside on any of the Access Control Engines or be located elsewhere in the network.

Data against which Access Control Policy conditions are evaluated (such as resource status, session state, or time of day) are accessible at Policy Information Points (PIPs) and might be accessed using Policy Information Blocks (PIBs).

A Policy Based Management System consists of four main functional Non_normative elements: (following RFC 2904, except for PAP) [2]

ABBRTermDescription
PAPPolicy Administration PointPoint which manages access authorization policies
PDPPolicy Decision PointPoint which evaluates access requests against authorization policies before issuing access decisions
PEPPolicy Enforcement PointPoint which intercepts user's access request to a resource, makes a decision request to the PDP to obtain the access decision (i.e. access to the resource is approved or rejected), and acts on the received decision
PIPPolicy Information PointThe system entity that acts as a source of attribute values (i.e. a resource, subject, environment)
PRPPolicy Retrieval PointPoint where the XACML access authorization policies are stored, typically a database or the filesystem. (Not in DIagram below)

Policy Based Management System/XACML_Architecture_&_Flow.png

Policy sets, rules and requests all use subjects, resources, environments, and Resource Action.

The Resulting policies are stored in a Policy Retrieval Point

When new policies have been added in the Policy Retrieval Point, or existing ones have been changed, the Policy Administration Point MUST update the relevant Policy Retrieval Points

When an actionable event is encountered at the Policy Enforcement Point contacts the Policy Decision Point which interprets the policies from the Policy Retrieval Points and the Policy Information Point and then communicates the appropriate decision to be exercised by the Policy Enforcement Point

The most well known policy-based management architecture was specified jointly by the IETF and the DMTF. This consists of four main functional elements:[1]

The preferred choice for communicating policy decisions between a PDP and network devices (PEPs) is the Common Open Policy Service (COPS) or SNMP, and LDAP for the PAP/PDPPIP communication.

Policy Based Management System Examples#

Many modern Organizational Entitys have implementaitons:

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
png
XACML_Architecture_&_Flow.png 87.6 kB 1 03-Oct-2017 21:56 jim Policy Based Access Management
« This page (revision-22) was last changed on 13-Oct-2017 11:32 by jim