Overview#

Policy Based Management System is a Framework in which an Access Request received by a Policy Enforcement Point (PEP) is presented to a Policy Decision Point which retrieves the Authorization Policy data from a Policy Retrieval Point along with data on the Entity requesting access and data on the Target Resource from Policy Information Point(s) and renders a decision to the Policy Decision Point.

Generally, any of the AAA Servers (or Access Control Engines) transactions may retrieve a policy or evaluate a Access Control Policy, and any of the Service Equipment may enforce a policy. Policy Retrieval Points (Policy Repositories) may reside on any of the Access Control Engines or be located elsewhere in the network.

Data against which Access Control Policy conditions are evaluated (such as resource status, session state, or time of day) are accessible at Policy Information Points (PIPs) and might be accessed using Policy Information Blocks (PIBs).

A Policy Based Management System consists of four main functional Non_normative elements: (following RFC 2904, except for PAP) [2]

Policy sets, rules and requests all use subjects, resources, environments, and Resource Action.

• A subject (Alice) element is the entity requesting access. A subject has one or more attributes.
• The resource element is a data, service or system component. A resource has one or more attributes.
• An Resource Action element defines the type of access requested on the resource. Actions have one or more attributes.
• An environment (or Context) element can optionally provide additional attributes.

The Resulting policies are stored in a Policy Retrieval Point

When new policies have been added in the Policy Retrieval Point, or existing ones have been changed, the Policy Administration Point MUST update the relevant Policy Retrieval Points

When an actionable event is encountered at the Policy Enforcement Point contacts the Policy Decision Point which interprets the policies from the Policy Retrieval Points and the Policy Information Point and then communicates the appropriate decision to be exercised by the Policy Enforcement Point

The most well known policy-based management architecture was specified jointly by the IETF and the DMTF. This consists of four main functional elements:[1]

• the Policy Management Tool (PMT) which we refer to as the Policy Administration Point (PAP)
• Policy Repository which we refer to as the Policy Information Point (PIP)
• Policy Decision Point (PDP)
• Policy Enforcement Point (PEP).

The preferred choice for communicating policy decisions between a PDP and network devices (PEPs) is the Common Open Policy Service (COPS) or SNMP, and LDAP for the PAP/PDP–PIP communication.

Policy Based Management System Examples#

Many modern Organizational Entitys have implementaitons:

• Google Cloud Platform - BeyondCorp
• Netflix - (uses PADME and Open Policy Agent) Netflix OSS Meetup Season 5 Episode 1 - Security
• Secure Production Identity Framework For Everyone (SPIFFE)
• Policy Access Decision Management Engine
• Open Policy Agent
• Istio

More Information#

There might be more information for this subject on one of the following:

• API-Gateway
• Access Control
• Access Control Models
• Adaptive Policy-based Access Management
• BeyondCorp
• Common Open Policy Service
• Identity Aware Proxy
• Mobile Device Management
• Open Policy Agent
• Policy
• Policy Administration Point
• Policy Core Information Model
• Policy Decision Point
• Policy Information Point
• Policy Retrieval Point
• XACML

---

• [#1] - Policy-based management - based on information obtained 2015-10-10
• [#2] - XACML - based on information obtained 2017-10-04