Overview#Policy Based Management System is a Framework in which an Access Request received by a Policy Enforcement Point (PEP) is presented to a Policy Decision Point which retrieves the Authorization Policy data from a Policy Retrieval Point along with data on the Entity requesting access and data on the Target Resource from Policy Information Point(s) and renders a decision to the Policy Decision Point.
Generally, any of the AAA Servers (or Access Control Engines) transactions may retrieve a policy or evaluate a Access Control Policy, and any of the Service Equipment may enforce a policy. Policy Retrieval Points (Policy Repositories) may reside on any of the Access Control Engines or be located elsewhere in the network.
Data against which Access Control Policy conditions are evaluated (such as resource status, session state, or time of day) are accessible at Policy Information Points (PIPs) and might be accessed using Policy Information Blocks (PIBs).
|PAP||Policy Administration Point||Point which manages access authorization policies|
|PDP||Policy Decision Point||Point which evaluates access requests against authorization policies before issuing access decisions|
|PEP||Policy Enforcement Point||Point which intercepts user's access request to a resource, makes a decision request to the PDP to obtain the access decision (i.e. access to the resource is approved or rejected), and acts on the received decision|
|PIP||Policy Information Point||The system entity that acts as a source of attribute values (i.e. a resource, subject, environment)|
|PRP||Policy Retrieval Point||Point where the XACML access authorization policies are stored, typically a database or the filesystem. (Not in DIagram below)|
- A subject (Alice) element is the entity requesting access. A subject has one or more attributes.
- The resource element is a data, service or system component. A resource has one or more attributes.
- An Resource Action element defines the type of access requested on the resource. Actions have one or more attributes.
- An environment (or Context) element can optionally provide additional attributes.
When an actionable event is encountered at the Policy Enforcement Point contacts the Policy Decision Point which interprets the policies from the Policy Retrieval Points and the Policy Information Point and then communicates the appropriate decision to be exercised by the Policy Enforcement Point
- the Policy Management Tool (PMT) which we refer to as the Policy Administration Point (PAP)
- Policy Repository which we refer to as the Policy Information Point (PIP)
- Policy Decision Point (PDP)
- Policy Enforcement Point (PEP).
- Google Cloud Platform - BeyondCorp
- Netflix - (uses PADME and Open Policy Agent) Netflix OSS Meetup Season 5 Episode 1 - Security
- Secure Production Identity Framework For Everyone (SPIFFE)
- Policy Access Decision Management Engine
- Open Policy Agent
More Information#There might be more information for this subject on one of the following:
- Access Control
- Access Control Models
- Adaptive Policy-based Access Management
- Identity Aware Proxy
- Open Policy Agent
- Policy Administration Point
- Policy Decision Point
- Policy Information Point
- Policy Retrieval Point