Policy Decision Point


Policy Decision Point or PDP evaluates Access Requests against the digital representation of the Authorization Policies from the Policy Retrieval Point along with data from the Policy Information Point before issuing access decisions.

Obviously in some systems, all of the entities:

May reside within the same application of the same host.

RFC 2753#

Policy Decision Point (PDP): The point where policy decisions are made.


The system entity that evaluates applicable policy and renders an authorization decision. This term is defined in a joint effort by the IETF Policy Framework Working Group and the Distributed Management Task Force (DMTF)/Common Information Model (CIM) in RFC 3198. This term corresponds to "Access Decision Function" (ADF) in (ISO10181-3). The OASIS XACML standard defines Policy Decision Point and its implementation using the XACML language.


The concept of Policy Decision Point (also known as Access Control Decision Function) is a locus where policy rules have been resolved, evaluated, and combined to yield a binary value for interpretation by a Policy Enforcement Point.


Policy Decision Point is a component of Policy Based Management System. When an entity performs an Access Request for resource on a network that uses Policy Based Management System, the Policy Information Point will describe the entity's attributes to other entities on the system. The Policy Decision Point has the job of deciding whether or not to authorize the user based on the description of the entity's attributes. Applicable policies are stored on the system and are analyzed by the Policy Decision Point. The Policy Decision Point makes it's decision and returns the decision. The Policy Enforcement Point will let the entity know whether or not he has been authorized to access the requested resource.

More Information#

There might be more information for this subject on one of the following: