Policy Enforcement Point


The Policy Enforcement Point (PEP) is where the is actually enforced.

The digital representation of the policy is provided by the policy Information Point to the policy Decision Point which then passes the decision to the Policy Enforcement Point where the access is permitted or denied.

Obviously in some systems, all of the entities:

May reside within the same application of the same host.

Password Policies#

For Password policies, each point where an entry is permitted to change their password, should be able to enforce the password policy.

When performing Consistent Sign On this implies that the point at which the password is changed should be able to enforce the same password policy that is used for the entire organization. Typically, we have found it is best to limit the Policy Decision Points (PDP) to as few as possible as each PDP may interprut the policy slightly different or you may have to duplicate the policy within another system.

RFC 2753#

"Policy Enforcement Point (PEP): The point where the policy decisions are actually enforced."


The concept of Policy Enforcement Point (also known as Access Control Enforcement Function) is where a policy decision is used to grant or deny access to a protected resource. A Policy Enforcement Point typically exists within an application or resource.

More Information#

There might be more information for this subject on one of the following:

Draft stuff#

"Policy Enforcement Point", is the logical entity or place on a server that enforces policies for admission control and policy decisions in response to a request from a user wanting to access a resource on a computer or network server.

PEP is a component of policy-based management. When a user tries to access a file or other resource on a computer network or server that uses policy-based access management, the PEP will describe the user's attributes to other entities on the system. The PEP will give the Policy Decision Point (PDP) the job of deciding whether or not to authorize the user based on the description of the entity's attributes. Applicable policies are stored on the system and are analyzed by the PDP|DefinitionPolicyDecisionPoint]. The PDP|DefinitionPolicyDecisionPoint] makes it's decision and returns the decision. The PEP will let the entity know whether or not he has been authorized to access the requested resource.